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Attomey Docket No.: 198443US-10313-10313-2 

TTTT.K OF THR INVENTION 
ENCRYPTION OF PROGRAMS REPRESENTED AS 
POLYNOMIAL MAPPINGS AND THEIR COMPUTATIONS 

DISCUSSION OF THE BA CKGROUND 

Field of Invention 

The present invention relates to a secure encryption method, and more particularly to a 
method for converting a class of abstract computation machines (state machines) to a polynomial 
representation. 

Backgroun d of the Invention 

Previous work on encrypted functions is described in T. Sander and C. Tschudin, "Protecting 
Mobile Agents Against Malicious Hosts," Springer LNCS 1419, pp. 44-60 (hereinafter "Sander") 
(the contents of which are incorporated herein by reference), which describes a system for evaluating 
a single encrypted polynomial. Sander describes encrypting polynomials by selecting an appropriate 
algorithm for encryption of the polynomial's coefficients on an individual basis. 

Additional research was performed on privacy homomorphisms. A simplistic description of a 
privacy homomorphism is an encryption function, e, such that 

e{x +y) = e(jc) +e(y), e(xy) = eix)e(y), etc. 

Such privacy homomorphisms are discussed in R. Rivest, L. Adleman, and M. Dertouzos, "On Data 
Banks and Privacy Homomorphisms," in "Foundations of Secure Computation," editor R. DeMillo, 
Academic Press, 1978, ISBN 0-12-210350-5 (hereinafter "Rivest"), the contents of which are 
incorporated herein by reference. 

Multi-party computations are also known. Common for many of these protocols is that they 
solve the problem where m people wish to evaluate a function /(x^,... ,xj , where each person P. 
knows only x., such that: 

1 . no information or a minimum of information about any Xj for j'^i is leaked 
to during the evaluation of the function/ 

2. the identity of all cheaters is known by the time the evaluation is completed 
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3 . the value of fix^,... becomes known to all participants simultaneously 
(or almost simultaneously) upon termination of the protocol. 
One of the first protocols for secure multiparty computations was proposed in A. Yao, "Protocols for 
Secure Computations (extended abstract)", 23"* Annual Symposium on Foundations of Computer 
Science, 1982, IEEE Computer Society's Technical Committee on Mathematical Foundations of 
Computing (hereinafter "Yao"), the contents of which are incorporated herein by reference. Yao 
describes the case where m people want to compute X'^j,...,x^) under the following conditions: 

1 . each person initially knows only , and does not the value of any Xj for j^i 

2. / must be computed such that after the computation, person P. still knows 
the exact value of only x., and does not the value of any Xj for j^i 

Yao describes computing functions of the form /: X^x-xX^-^V. 

Another approach is described in G. Brassard and C. Crepeau, "Zero-Knowledge Simulation 
of Boolean Circuits," Advances in Cryptology — CRYPTO'86: Proceedings, Lecture Notes in 
Computer Science, Vol. 263, pp. 223-233, Springer- Verlag, 1986 (hereinafter "Brassard"), the 
contents of which are incorporated herein by reference. Brassard describes a method of simulating 
boolean circuits using zero-knowledge interactive protocols. For example, person B computes a 
function /: D - {0, 1 } in several rounds with the aid of person A . Person A provides data about the 
evaluation to person B using a zero-knowledge interactive protocol. Person B cannot compute the 
encrypted evaluation from encrypted data supplied by person A. 

Chaum, Damgard, and van de Graaf, "Multiparty Computations Ensuring Privacy of Each 
Party's Input and Correctness of the Result," Advances in Cryptology — CRYPTO'87: Proceedings, 
editor C. Pomerance, Lecture Notes in Computer Science, Vol. 293, pp. 87-1 19, Springer- Verlag, 
1987 (hereinafter "Chaum") (the contents of which are incorporated herein by reference) describes an 
alternative to Yao's protocols. That alternative requires less computation, but assumes quadratic 
residues. 

Abadi, Feigenbaum, and Kilian, "On Hiding Information from an Oracle," Journal Computer 
System Science, Vol. 39 (1989), 21-50 (hereinafter "Abadi_l") (the contents of which are 
incorporated herein by reference) discusses computing with encrypted data. The abstract describes 
that: Player A wishes to know the value j{x) for some jc but lacks the power to compute it. Player B 
has the power to compute f and is willing to send fiy) to A if she sends him y, for any A encrypts x, 
sends y=E{x) to B, who then computes fy), returns this result to A, who then infers X^) from J(y). M. 
Abadi and J. Feigenbaum, "Secure Circuit Evaluation," Journal of Cryptology, No. 2, pp. 1-12, 1990 
(hereinafter "Abadi_2") (the contents of which are incorporated herein by reference) describes a 
related problem. A protocol is used to evaluate a function X^) by two parties, where one knows how 
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to compute/but does not know x, and the other party knows x, but not how to compute /. The /in 
question would be expressed as a boolean circuit. This is in fact again the privacy homomorpism 
problem. 

Additional work has been performed recently by M. Naor and B. Pinkas, "Oblivious Transfer 
and Polynomial Evaluation", STOC'99, pp. 24 5-25 4, and C. Cachin, J. Camenisch, J. Kilian, and J. 
Mueller, "One-Round Secure Computation and Secure Autonomous Mobile Agents", ICALP 2000, 
pp.5 12-523, and D. Beaver, "Minimal-Latency Secure Function Evaluation", EUROCRYPT 2000, 
pp.335-350 (the contents of each of those references is incorporated herein by reference). 

Encryption systems are discussed in patents such as: US Pat. No. 4,120,030, US Pat. No. 
4,168,396, US Pat. No. 4,278,837, US Pat. No. 4,306,389, US Pat. No. 4,3 19,079, US Pat. No. 
4,433,207, US Pat. No. 4,465,901, US Pat. No. 4,633,388, US Pat. No. 4.764,959, US Pat. No. 
4,847,902, US Pat. No. 4,937,861, US Pat. No. 5,007,082, US Pat. No. 5,033,084, US Pat. No. 
5,153,921, US Pat. No. 5,341,429, US Pat. No. 5,392,351, US Pat. No. 5,544,244, US Pat. No. 
5,592,549, US Pat. No. 5,892,899, US Pat. No. 6,052,870, and US Pat. No. 6,049,609. 

As additional background, a brief discussion of representing programs as polynomials is 
provided herein. The polynomial representation of a program is generated in two steps. First, the 
program as represented in a programming language is transformed to an abstract computation 
machine. Second, the abstract computation machine is transformed to a polynomial mapping. As 
would be appreciated by one of ordinary skill in the art, the transformation of a program in a 
programming language is a process specific to the selected programming language, and 
transformation methods are constructed for each programming language. 

L. Blum, M. Shub, and S. Smale, "On a Theory of Computation and Complexity over the 
Real Numbers: NP-completeness, Recursive Functions, and Universal Machines," Bulletin of the 
American Mathematical Society, vol. 21, No. 1, pp. 1^6 (hereinafter "Blum") (the contents of which 
are incorporated herein by reference) describes transforming abstract computation machines to 
polynomials. In addition, it is possible to represent the computations of most types of finite automata 
using polynomials over a finite field. 

SUMMARY OF THE INVENTION 
The present invention addresses computation when secrets are kept in the memory of a 
computer, such that no secrets are represented in plaintext prior to-, during- or after the computation, 
unless the computation itself dictates otherwise. The invention reduces the need for communication 
between parties during computation. The invention achieves this with a method and system for 
encrypting programs, as well as a method and system for representing a class of abstract computation 
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machines using polynomials. The invention also achieves this with a method and system for directly 
encrypting function tables. 

Additionally, the invention also provides a method and system for encrypting abstract 
computation machines represented in part using state-transition tables. Accordingly, it is an object of 
the present invention to overcome deficiencies in known encryption methods and systems. 

It is a further object of the present invention to provide encrypted universal (Turing) 
computation. 

It is a still further object of the present invention to provide encrypted universal interactive 
(Turing) computation. 

It is another object of the present invention to provide a method and system for transforming 
abstract computation devices to computation devices expressed with polynomials. 

Another object of the present invention is to provide a method and system for renewing — or 
re-encrypting — a partially encrypted state machine. 

BRIEF DESCRI PTION OF THE DRAWINGS 

A more complete appreciation of the invention and many of the attendant advantages thereof 
will be readily obtained as the same becomes better understood by reference to the following detailed 
description when considered in connection with the accompanying drawings, wherein: 

Figure 1 is a schematic illustration of a computer system for providing encrypted computing 
according to one embodiment of the present invention; 

Figure 2 is a top view of a smartcard for performing encrypted computation; 

Figure 3 is a block diagram of a smartcard chip for the smartcard of Figure 2; 

Figure 4 is a schematic illustration of a client remotely logging into a server computer; 

Figure 5 A is an automata transition diagram illustrating inputs, outputs and transitions in an 
exemplary state machine that does not already have a dedicated stopping state, q^; 

Figure 5B is a function table corresponding to the transition diagram of Figure 5 A; 

Figure 5C is a transition diagram illustrating inputs, outputs and transitions in an exemplary 
state machine that already has an isolated node that can be used as a dedicated stopping state, q^; 

Figure 5D is a function table corresponding to the transition diagram of Figure 5C; 

Figure 6A is a transition diagram corresponding to the addition of inputs and outputs 
supporting the addition of the dedicated state to the diagram of Figure 5 A; 

Figure 6B is a corresponding function table supporting the augmented automata of Figure 

6A; 
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Figure 6C is a transition diagram corresponding to the addition of inputs and outputs 
supporting the designation of the dedicated state in the diagram of Figure 5C; 

Figure 6D is a corresponding function table supporting the augmented automata of Figure 

6C; 

Figures 7A-7C illustrate vectorization examples for N=2, 3, and at least 4 for the diagram of 
Figure 6C; 

Figures 8A-8C illustrate determining prime numbers A'^ based on a selected vectorization of a 
state machine as defined in Figure 7; 

Figures 9A and 9B illustrate a method of adding states to Q \ adding dummy input symbols, 
dummy output symbols, and completing the state machine function table, using the example of Figure 
5C as augmented in Figure 7; 

Figure 10 illustrates a random assignment of entries after adding dimimy input and output 
symbols; 

Figure 1 1 A illustrates an initial function table (corresponding to the vectorization of Figure 
8B) prior to adding entries corresponding to a random duplication of states; 

Figure 11 B illustrates an augmented function table in which a randomly selected non- 
dedicated state was selected as a source of a copy operation for a first row with undefined elements; 

Figures 11 C and 1 ID illustrate transition diagrams corresponding to the function tables of 
Figures 11 A and 1 IB, respectively; 

Figure 12A illustrates an augmented function table (repeated from Figure 1 IB) prior to 
randomizing links transitions (or arcs) during a random row copying process; 

Figure 12B illustrates an augmented function table in which a transition of Figure 12A is 
modified after copying a row; 

Figures 12C and 12D illustrate transition diagrams corresponding to the function tables of 
Figures 12A and 12B, respectively; 

Figures 13A and 13B illustrate a function table before and after two nodes are switched; 

Figures 14A and 14B illustrate a function table before and after two input symbols are 
switched; 

Figures 15A and 15B illustrate a function table before and after two output symbols are 
switched; 

Figure 16A is a polynomial mapping of inputs and states to outputs; 
Figure 16B is a polynomial interpolation for various states and inputs; 
Figure 17 illustrates a method of precomputing the a^x) functions; 
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Figure 18 illustrates an exemplary BSS machine to be converted to a BSS' machine 
according to one aspect of the present invention; 

Figure 19 illustrates a method of transforming the BSS machine of Figure 18; 

Figure 20A illustrates a method of transforming the BSS machine of Figure 19 into a BSS' 
machine; 

Figure 20B illustrates an equivalent BSS' machine generated from scratch; 
Figure 21 illustrates a method of transforming a BSS' machine into a single polynomial 
mapping; 

Figures 22A-22C illustrates three consecutive steps of a key generation process; 
Figure 23 illustrates a graph for use in computing a permutation and its inverse via 
interpolation; 

Figures 24A and 24B illustrate two arithmetic operations over a field as exemplified for Z5; 

Figures 25A-25C illustrate encrypting plural variables and mapping components of 
multivariate polynomials with univariate polynomials; 

Figure 26A illustrates a partially encrypted ^ ° h to be used as a starting point in a process 
of re-encrypting plural variables and mapping components of multivariate polynomials with second 
univariate polynomials; 

Figure 26B illustrates a process of re-encrypting plural variables and mapping components of 
multivariate polynomials with second univariate polynomials; 

Figure 26C illustrates a result of the re-encrypting process of Figure 26B; 

Figure 27A illustrates a mapping/ represented by a function table; 

Figure 27B illustrates a function table tj- from the function table of Figure 27 A; 

Figures 27C and 27D generally illustrate converting from a function table for /to a function 
table for t/. 

Figures 28A-28E illustrate a process of symbolically composing mappings represented as 
function tables to produce a combined function table; 

Figures 29A and 29B illustrate a process of generating keys for multivariate encryption of 
multivariate polynomial mappings; 

Figure 30 illustrates the process of encrypting plural variables and mapping components of 
multivariate polynomials with multivariate polynomials; 

Figure 3 1 A illustrates the process of re-encrypting plural variables and mapping components 
of multivariate polynomials with second multivariate polynomials; 

Figure 3 IB illustrates the result of the process of Figure 3 1 A; 



Figure 32A illustrates a process of symbolically composing mappings represented as function 
tables to produce a combined function table; 

Figure 32B illustrates the result of the process of Figure 3 2 A; 

Figure 33 illustrates a process of symbolically composing mappings represented as function 
tables to produce a combined function table; 

Figure 34 illustrates a Turing platform supporting unencrypted and partially encrypted 
composition for some machine Mon a hostO; 

Figure 35 illustrates a method of computing with host O running a Turing platform T 
supporting at least one Mealy register or BSS' machine M; 

Figure 36A illustrates a state of a register machine including register vectors, an instruction 
pointer vector, and a storage pointer vector; 

Figure 36B illustrates shared data in the form of D-vectors including a storage cell 5^ that is 
indexed by D ; 

Figure 36C illustrates instructions in the form of C-vectors including a storage cell S^that is 
indexed by C; 

Figure 36D illustrates a method of operating one the state of Figure 3 6 A; 
Figure 36E illustrates the result of the method of Figure 36D; 

Figures 37A-38C illustrate a method of symbolic composition of two mappings using 
function tables; 

Figure 39A illustrates a method of generating keys for parameterized encryption of 
multivariate mappings; 

Figure 39B illustrates a result after one step of the process of Figure 39A; 

Figure 40 illustrates a method of parameterized encryption of plural variables and mapping 
components of multivariate mappings with multivariate mappings; 

Figures 41 A and 41B illustrate a method of augmenting a Mealy machine in preparation for 
its use in computation; 

Figures 42A and 42B illustrate a method of obfuscation of a Mealy machine as part of a 
method of augmentation; 

Figure 43 A and 43B illustrate processes of transforming state transition and output mappings 
of an augmented Mealy machine to polynomial mappings where precomputation is and is not cost 
effective, respectively; 

Figure 44 illustrates a method of adapting a BSS machine for encrypted computation where 
the end result itself may be transformed into a single multivariate polynomial mapping; 
Figure 45 illustrates a method of specifying a BSS' machine directly; 



-8- 

Figure 46 illustrates a method of transforming a BSS' machine into a single multivariate 
polynomial mapping; 

Figure 47 illustrates a method of transforming a BSS' machine into a single mapping 
represented as a function table; 

Figure 48 illustrates a method of specifying an initial state for a BSS' machine; 

Figure 49 illustrates a method of computing with a BSS' machine transformed to a single 
multivariate mapping if (the BSS' machine's computing endomorphism); 

Figure 50 illustrates a method of specifying a pattern of encryption of multivariate mappings 
with univariate mappings; 

Figure 51 illustrates a method of generating keys for univariate encryption of multivariate 
mappings; 

Figure 52 illustrates a method of encrypting plural variables and components of multivariate 
mappings represented using either polynomials or function tables with univariate functions; 

Figure 53 illustrates a method of generating re-encryption keys for re-encryption of plural 
variables and components of multivariate mappings, already partially encrypted using first univariate 
functions, with second univariate functions; 

Figure 54 illustrates a method of re-encrypting plural variables and mapping components of 
multivariate mappings, already partially encrypted using first univariate functions, with second 
univariate functions; 

Figure 55 illustrates a method of converting from a mapping, given as a function table, to a 
function given as a fimction table; 

Figure 56 illustrates a method of converting from a function, given as a function table, to a 
mapping given as a function table; 

Figure 57 illustrates a method of symbolically composing two mappings, both represented as 
a function tables, to produce a function table for their composition, {g(fix)y, 

Figure 58 illustrates a pattern of encryption of multivariate mappings with other multivariate 
mappings; 

Figure 59 illustrates a method of generating keys for multivariate encryption of multivariate 
mappings; 

Figure 60 illustrates a method of encrypting plural groups of variables and groups of mapping 
components of multivariate mappings, h, with other multivariate mappings; 

Figure 6 1 illustrates a method of generating re-encryption keys for re-encrypting of a 
multivariate mapping, h, already partially encrypted with a first multivariate mapping, s, with second 
multivariate mappings; 
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Figure 62 illustrates a method of re-encrypting a multivariate mapping, h, already partially 
encrypted with a first multivariate mapping, s, with second multivariate mappings; 

Figure 63 illustrates a method of symbolically composing/ and hy, represented as 
function tables, to produce a function table for the composition,X/?i(), /ijO, - ^^0); 

Figure 64 illustrates a method of symbolically composing/ and ^, ... /i^ represented as 
function tables, to produce a function table for the composition, 

Figure 65 illustrates a method of computing with a host O running a Turing platform T 
supporting at least one of a Mealy and a BSS' machine M; 

Figure 66 illustrates a method of initializing a register machine; 
Figure 67 illustrates a method of computing with a register machine; 

Figure 68 illustrates a method of computing with a register machine A/ supported by a Turing 
platform T, on a host O; 

Figure 69 illustrates a method of symbolically composing/with and hi, ... represented as 
function tables, to produce a mapping; 

Figure 70 illustrates a method of symbolically composing h^,..., with/ where all mappings 
are represented as function tables, producing a new composite mapping; 

Figure 71 illustrates a method of specifying a pattern of parameterized encryption of 
multivariate mappings with other multivariate mappings; 

Figure 72 illustrates a method of generating keys for parameterized multivariate encryption of 
multivariate mappings; 

Figure 73 illustrates a method of encrypting a multivariate mapping h with parameterized 
multivariate mappings; 

Figure 74 illustrates a method of specifying an encryption pattern for parameterized 
encryption for a specialized application of a register machine; 

Figures 75 A and 75B illustrate a method of key generation for parametric encryption that is 
specially adapted for application to a register machine; amd 

Figure 76 illustrates a method of parameterized encryption specifically adapted to application 
to a register machine. 

DETATLED DESCRIPTION OF THE PREF ERRED EMBODIMENT 
Referring now to the drawings, wherein like reference numerals designate identical or 
corresponding parts throughout the several views. Figure 1 is a schematic illustration of a computer 
system for providing encrypted computing. A computer 100 implements the method of the present 
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invention, wherein the computer housing 102 houses a motherboard 104 which contains a CPU 106, 
memory 108 (e.g., DRAM, ROM, EPROM, EEPROM, SRAM, SDRAM, and Flash RAM), and other 
optional special purpose logic devices (e.g., ASICs) or configurable logic devices (e.g., GAL and 
reprogrammable FPGA). The computer 100 also includes plural input devices, (e.g., a keyboard 122 
and mouse 124), and a display card 1 10 for controlling monitor 120. In addition, the computer system 
100 further includes a floppy disk drive 114; other removable media devices (e.g., compact disc 119, 
tape, and removable magneto-optical media (not shown)); and a hard disk 1 12, or other fixed, high 
density media drives, connected using an appropriate device bus (e.g., a SCSI bus, an Enhanced IDE 
bus, or a Ultra DMA bus). Also connected to the same device bus or another device bus, the 
computer 100 may additionally include a compact disc reader 1 18, a compact disc reader/writer unit 
(not shown) or a compact disc jukebox (not shown). Although compact disc 1 19 is shown in a CD 
caddy, the compact disc 119 can be inserted directly into CD-ROM drives which do not require 
caddies. In addition, a printer (not shown) also provides printed listings of the results of encrypted 
computing. 

As stated above, the system includes at least one computer readable medium. Examples of 
computer readable media are compact discs 119, hard disks 1 12, floppy disks, tape, magneto-optical 
disks, PROMs (EPROM, EEPROM, Flash EPROM), DRAM, SRAM, SDRAM, etc. Stored on any 
one or on a combination of computer readable media, the present invention includes software for 
controlling both the hardware of the computer 100 and for enabling the computer 100 to interact with 
a human user. Such software may include, but is not limited to, device drivers, operating systems and 
user applications, such as development tools. Such computer readable media ftirther includes the 
computer program product of the present invention for providing encrypted computing. The 
computer code devices of the present invention can be any interpreted or executable code mechanism, 
including but not limited to scripts, interpreters, dynamic link libraries, Java classes, and complete 
executable programs. Such computer code devices may also be dynamically loaded across a network 
(e.g., downloaded from a Wide Area Network (e.g., the Internet)). 

As described above, the computer program devices of the present invention can be 
implemented in numerous ways. In one embodiment of those code devices, the devices are not 
separate programs but rather are plug-ins to a separate program. In such an embodiment, an 
Application Programming Interface (API) provides a definition of how the encrj^tion and decrj^jtion 
parameters are passed between the program and the plug-in performing the encryption. APIs and 
plug-ins, such as the Pretty Good Privacy (PGP) interface and plug-in that enables e-mail to be 
encrypted or decrypted within mail programs such as Eudora Mail and Microsoft Outlook, are 
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known. Accordingly, one of ordinary skill in the art, based on the present specification, would be 
able to make and use an API and/or interface for performing encrypted computing. 

Applications of the present invention include, but are not limited to, the following: 
smart cards (see Figures 2 and 3) and similar trusted computing bases for 
high-security applications since current smart cards are vulnerable because they still 
do sensitive processing unencrypted 

• software implementations of cryptosy stems on insecure platforms (see Figure 1) 
third party key generation systems, where trust of the party generating the keys is 
crucial to its value as a part of a security system 

• secure remote logins and cryptographic operations (see Figure 4). 

The present invention also enables the construction of secure mobile agents for computer systems 
that have no inherent limitations on their computing ability. 

The present invention provides a method and system for constructing "black-box" programs 
for computations. The cryptographically enhanced functions (e.g. polynomials or state transition 
tables) produced by the method and system are applied to carry out a computation specified by a state 
machine. Thus, the method: 

1 . makes incomprehensible the nature of the program itself in its cryptographically 
enhanced function representation, 

2. ensures that workspace used by the program is encrypted during use, and 

3. ensures encryption of output, if desirable. 

As a preliminary matter, as used herein, the phrase "partially encrypted" refers to a set of 
functions in which at least one function is cryptographically enhanced without requiring that all 
functions in the set be cryptographically enhanced. The present invention is applicable in at least four 
computations. The first computation involves at least two parties, A and B, where A wishes to execute 
a computation using B's computing resources such that: 

1 . A supplies B with a partially encrypted abstract computing machine,/, 
expressed using cryptographically enhanced functions, and a partially 
encrypted initial state, wherein the abstract computation machine is 
transmitted either alone or within a conventional programming language (e.g. 
Java, Pascal, C, C++, machine code), part of which executes the 
computations of the partially encrypted abstract computing machine, and 
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2. B supplies any input "requested" by f, depending on which variant of the 
abstract computing machine A decides to use. When using a conventional 
program, B supplies input indirectly through the program. 
Such computation can be used in an electronic w^allet environment. 

The second computation involves one party, A that uses ^'s own resources where A supplies 
the partially encrypted abstract computing machine, the partially encrypted initial state, and any 
resources the abstract computing machine interacts with during its computation. In all three of those 
computations, A may also choose to supply some additional data with the abstract computing 
machine, that will allow parts of it to become re-encrypted under new encryption keys. Such 
encrypted computations can be used by users who wish to prevent "eavesdropping" on ongoing 
computation. 

The third computation involves at least two parties A and B, where B wishes to execute a 
computation using ^'s data such that: 

1 . A supplies B with a conventional program, expressed in a conventional programming 
language, part of which executes a computation of a partially encrypted abstract 
computing machine,/, expressed using polynomial, where a partially encrypted initial 
state is given by A (either separately or along with the program), and 

2. A supplies B with the input "requested" by /indirectly through the program sent to B 
by A, depending on the variant abstract computing machine A decides to use, and 
whether or not A decides to let its program allocate resources. 

Such encrypted computations can be used to enable off-line document release and online interactive 
document services. 

The fourth computation involves at least two parties A and B, where B wishes to execute a 
computation using ^'s data such that: 

1 . A supplies B with a conventional program, expressed in a conventional programming 
language, part of which executes a computation of a partially encrypted abstract computing 
machine,/, expressed using polynomials or state transition tables, where a partially encrypted 
initial state is given by ^ (either separately or along with the program), and 

2. A supplies B with input "requested" by f indirectly through the program sent to 5 by ^ in 
addition to input supplied by B, depending on the variant abstract computing machine A 
decides to use, and whether or not A decides to let its program allocate resources. 

In one such example, A provides B with data content (e.g. a DVD movie) that B plays back. The 
decision process as to whether or not the DVD is to be played (e.g. based on release date) is based on 
an encrypted computation. 
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The present invention provides a method and apparatus for using a polynomial permutation 
as an asymmetric secret key cryptosystem in constructing encrypted programs. The cryptosystem is 
based on the symbolic function composition operation, and the fact that decomposing certain types of 
multivariate polynomials over a field is an NP-hard problem. See M. Dickerson, "The Fimctional 
Decomposition of Polynomials", Ph.D. Thesis, Cornell University, 1989, the contents of which are 
incorporated herein by reference. 

The relevant problem upon which the cryptosystem of the present invention is based is 
described herein as a special non-deterministic case of the so-called "General Decomposition 
Problem" for polynomials. Preliminary cryptanalysis suggests that it may offer very good 
cryptographic-protection of the abstract state machine itself. The only currently known 
(cryptographical) vulnerability is statistical analysis of input and output as the computation 
progresses. Only the ciphertext itself appears to be vulnerable to such analysis. The partially 
encrypted polynomial representation itself has no known vulnerabilities 

As a basis for the rest of the description provided herein, the process of representing abstract 
computing machines using polynomials is described herein. A Mealy machine is a six-tuple 
M=(|Q,S,A,6,A,^q), where Q is the set of states, S is the input alphabet, A is the output alphabet, 
6:gx2-g is the state transition function, ArgxS-A is the output function, and is the initial state. 

A Mealy machine Mis converted to a polynomial mapping by augmenting the definition to 
provide what is effectively a halting state. Thereafter, 6 and X are interpolated, using their definitions 
to provide interpolation data. The result is a multivariate polynomial mapping that can be iterated 
with input at each iteration to do the same computation as the machine M. The initial state is 
specified as a vector of the form (x(0) J7(0),^0)) , where jc(0) is the actual initial state of the Mealy 
machine M, j?(0) is the initial input, and z(0) the initial output. 



The computation is executed by iterating the mapping given in equation 1 . This gives the relations: 
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The class of automata presented in Blum requires modifications for it to be of use in expressing 
automata as polynomial mappings. The modifications are as follows: 

1 . Comparison nodes have their greater-than-or-equal-to-zero relation replaced 
by a set membership relation, which is actually expressible as a polynomial 
over a finite field consisting of the integers modulo a prime number p. 

2. Computation and comparison nodes may be mixed. 

3 . Output nodes are required to do computations (to avoid undue key exposxire). 

4. There is one final node at which all halting computations must halt. 

According to the present invention, modified Blum-Shub-Smale machines (hereinafter 
referred to as "BSS' machines") operate over a finite field for a fixed prime number A^. Such a 
machine includes (1) a state space Z/, (2) an output space , (3) an input space Z^, and (4) a 
directed graph with p numbered nodes; where S, O, and / are positive integers. The set 

'^N^'^N called the full state space of the Blum-Shub-Smale-like machine. The 

first component is the node number, the next S components are the automaton's internal work space, 
the O components after that, the output, and lastly, the / input components. The graph of the 
automaton has two main types of node variants: 

1 . normal nodes, which must have at least one and at most p outgoing edges, 
and may have incoming edges; and 

2. the halting node, which can only have incoming edges, and one out-going 
edge pointing to itself. 

The nodes may also do one or more of the following: 

1 . compute one or more relations of the type e/CcZ^- iOl in order to select one of a list 
of possible outgoing edges for that node, in order to select the next node to be used in 
the computation; 

2 . compute output to the output vector; 

3. assimilate input in the input vector; and 

4. carry out a computation with existing information fi-om the state vector and the input 
vector. 

Such an automaton is transformed to a polynomial mapping 
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called its computing endomorphism. His of the form: 
(P(«,X(x))/E 

Where a.(n) "chooses" the correct g. mapping to apply on the internal work space and output 
depending on which node the computation has reached. The next-node function P(«yic) computes at 
which node the next computation step will take place. In this manner the automaton moves through 
its graph as though it were following a flow-chart. 

Because the set {0,...,p- 1} must be a subset of Z^, it is possible to denote the node number 
by Xj , the internal state components by Xj,.. , the output components by x^^2'•■■'^s-^o■^l' ^® 
input components by ^5+o+2'" '^5+o+/+i • components may or may not be in this order in any 
given embodiment. The components are hereafter assumed to be in this order 
to simplify notation. Then the computing endomorphism simply operates on x, and is essentially a 
mapping H:Z^*^*'^*^-*Z^*^*^^^ . This notation will henceforth be used, as it seems to be better with 
respect to the BSS' machines. 

The use of univariate polynomials in encryption will now be discussed. Let m+n pairs if.,Sj) 
of mutually inverse permutations permuting the integers modulo N, be given such that they are 
expressed as univariate polynomials. There may or may not be equal pairs {r.,s?} of mutually inverse 
permutations. Some pairs may or may not be the identity mappings (that is, they do no 
encryption/decryption). Let the r.s denote the encryption keys, and i-.s the decryption keys. 
Encryption of a polynomial mapping 

(/;(Xi,...,xJ,.../„(Xj,...pcJ) 

over the integers modulo N is done by composition, resulting in the encrypted mapping: 

This mapping will effectively compute / on data partially encrypted with the keys f„+i,-,f„+f„ ■ It is 
then possible to decrypt the result by applying s^,...^^ to the individual components. The simplest 
option is to set all pairs (r .,5' .) to some chosen pair {r,s) . It is fully possible, however, to select 
individual encryption keys for each variable and function component. Note: to limit the size of the 
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polynomials, and increase computational efficiency, the composition method employed by the 
invention exploits the fact that exponents greater than A^- 1 may be reduced in steps of N- 1 until the 
exponent is less than N and greater-than-or-equal-to 0 (zero). This is done during the computation of 
the symbolic composition, so that no polynomial ever has any variable raised to a power higher than 
N-l. 

In order to apply this encryption system to the polynomial mapping representing a Mealy 
machine, some restrictions must be placed on the selection of key pairs {r.,s^) . Recalling the form of 
the polynomial representation of a Mealy machine given in equation (1), it is clear that there are S+I 
variables, and S+O function components. Since the S first function components are always fed back 
into the S first variables, it becomes necessary to require {r.,s^ '^(^s+o^^i'^s+o->-) ^ ^ 

assumed that y(n) has I components. In order to simplify subsequent notation, the partially encrypted 
version of the polynomial representation of an abstract state machine is written {E^°H), where His 
the plaintext representation of the state machine. The symbol ° usually denotes functional 
composition, such that (f°g)ixy=J{gixy). The resulting general expression for this encryption system 
applied to H is then: 

{E^ oH)(x(n^\), z(«+l))= 

rj(6i(5,(Xi(«)),...,5/jC5(«)),525,o,,Oi(«)),...,525^o,XyXn))),..., 
^s(^s(^i(^i("))'-"''^/^/"))'^25.c>.i(>'i(«))'"->^25.o.;0^/«)))'-". 

Although this encryption system protects the computation of the state machine from the 
platform it runs on, that does not preclude the possibility of the partially encrypted state machine 
sharing one or more encryption/decryption key pairs with the platform. This is why also the input 
components in equation (6) are displayed as (partially) encrypted. 

For a BSS' machine there will effectively be 1+5+0 mappings, and 1 +.9+0+/ variables. Only 
1+5'+/ variables are used in the mappings. Also, similar to the partial encryption of the polynomial 
representation of a Mealy machine, the choice of mappings is restricted by the fact that output from 
the first 1+5' mapping components is fed into the first 1+5 variables for the state space at the next 
computation step. T\\us,(r^^^^Q^^,s^^^^Q^^-(r.,s^ for l<f<5'+l. Thus, the resulting expression for the 
encrypted machine is of the form: 
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•^1 +S+O*S+O+2^^S+O+20^y)'—'^\ +5+0+5+0+/+ C^) 

Note, in one embodiment of the present invention, at least one output component is chosen 
to be unencrypted. In that embodiment, the encryption function r. is the identity mapping x, and is 
not applied to the component. Similarly, variables that do not need decrypting use the identity 
mapping x as decryption function Sj . 

The encryption system of the present invention is strengthened by the fact that it effectively 
includes a special type of non-linear equation system with an integer solution, half of whose variables 
remain undetermined by any equation. Moreover, the present invention protects the process of 
composing polynomials to produce a cryptosystem. 

It is possible to re-enciypt a mapping E^^°f partially encrypted with univariate polynomials, 
such that: 

1 . None of the old encryption keys are revealed; 

2. None of the new encryption keys are revealed; 

3 . The plaintext mapping/is not revealed; and 

4. None of the encryption keys protecting the new encryption keys are revealed. 

Let /be a mapping with n functional components expressed as polynomials in m variables. 
Assume /is partially encrypted using the key pairs (fi^iX-X^n+m'^n^m^ such that E^^of may be 
written in the form given in equation (5). 

Re-encryption is achieved by: 

1 . selecting a new set of key pairs (T\->^\)^ --^(j"n+m^n+w) ' 

2. for every l<i<n+m, symbolically composing r/ with s^ to generate 
r-isfx)); 

3. for every \<i<n+m, symbolically composing r. with s^ to generate 
rf^slix)); 

4. for every variable x., n<i<.n+m, symbolically substituting x. with r.(Sj (x)) ; 
and 

5. for every function component f., 1 <i<n, symbolically composing (^.(x)) 
withr.(/;.(-)). 
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The re-encryption of a function component is possible based on the following equation: 

(8) 

so the result is/partially encrypted with the keys ij'\'>^\)r,--krn*m'>^n*m^- Since all (r.,5-) and {rl,s-') 
are initially secrets, the compositions rl°s. and rps- are effectively encrypted data for purposes of 
cryptanalysis. 

Encryption using multivariate polynomials is similar to encryption with univariate 
polynomials, except that tuples or blocks of variables may be encrypted and/or decrypted 
simultaneously. In the most general case, let /be a mapping with n components that is applied to m 
variables. Select k triples {c.,r^,s^ satisfying: 

1 . Every c. is a positive integer; 

2. There is an l<k such that 5^=i ^/ equals the number of components, n, in the 
mapping to be partially encrypted, and 5Zf=/+i c. equals the number of 
variables, m, used by the mapping; 

3. Every r. is a permutation of c^. -tuples of variables, and s. is its inverse, thus 

^,s.:Z^'-Zp ;and 

4. Every r. and s. is expressed as a polynomial mapping, such that if c.>l, 
then r. and s. are multivariate polynomial mappings with fiinctional 
(polynomial) components (r. p...,r.^) and (i'. p-.-jj-.^), respectively. 

The r.s denote encryption keys. The s.s denote decryption keys. There may or may not be equal 
triples. Some permutations r. and s. may be selected to be the identity mapping (thus encryption 
and/or decryption are not performed). 

Illustratively, the n functional components and m variables are assembled in one "tuple" 
f^,.../^^^,...^^. This is then partitioned into blocks as shown in the equation below: 

where /p -,/^ is components and Xp-pc^ is 5^f=i+i c.=m variables. 



To achieve partial encryption, the keys are then applied to blocks as shown in the equation below: 
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This general case can be reduced to the univariate case by setting c.=l for all 1 <i<m+n. The partial 
encryption of 

Xx)=(/,(Xi,...^J,.../>j,...^J) 
over the integers modulo A'^ is done by functional composition, resulting in the encrypted mapping: 

/c,(^/.l(-^l'-'^c>-'^it(^«-c,-.l'-P^J))v.., 

/„(^,,i(xi,...^^^),...,^,(x^_^^,j,...,xj))) (9) 

Note that every r. produces a tuple with components, so in all, the partially encrypted 
mapping should have as many polynomial components as does/. To simplify the above notation, 
denote the tuple x^,...^^^ ^ by Wj , the tuple x^^ ^^p-^c, ^ ^2' ^° ™ *° ^m-c/^+v-^m^y 
Wf^_i. Denote the function component tuple f^,.../^^ by Vj , the tuple f^^^^,.../^^^^^ by Vj, and so on up 
^^f„-c +1'- -s/Jz ^^^^ notation is illustrated in the equation below: 

/j,..., /^^,..., ^c.j.-. ^™-c,.i'-' Am- 

using this notation, equation (9) may be rewritten as: 

(r,{v,(si^,(w,%..., s,(w,_,))),..., rXv,(5,,i(>Pi),..., s.iw.J))). (10) 

When a polynomial representation, if, of a Mealy machine is to be encrypted using 
multivariate polynomials, there are some constraints on the selection of encryption keys. As in the 
univariate case, there are S function components of H, which are fed back into variables, and O 
function components which are not. This will only work as intended if (c.,r^^^=(Cj^.,ri^pSj^^ for all 
l<i<L, where /is such that 53/=i ^j^^- following set D-^!j^^ Cj. In any case, D may not 
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exceed the number of variables, so in the case where there are more function components than 
variables, there may be function components free of such restrictions when deciding upon triples for 
encryption. Thus, the first /partially encrypted blocks of IT s components must use the same key pairs 
as the first /partially decrypted blocks of jfiPs variables. Recall that /Ts variables are written x(n) , 
y(n) , and that x is the state of the Mealy machine. Therefore the first /vectors/blocks w .(n) will 
represent x(n) and possibly a little of y(n) , and the remaining vectors/blocks will represent the rest 
of y(n) — ^the input to the Mealy machine. The partially encrypted version of H, written E^°H, may 
for the case D=S be written as: 

x{n+\)An+Y)) = iE^j=H){x{n)S{ny) = 

lo(s,(w,(n)),...,sj(n)),s,^r^,^^^^^ (11) 



For the case D>S, the partially encrypted version of H, E^°H is defined as: 



The mapping E^°H effectively consists of polynomials q:.Zp*^^Zp. 
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For the BSS' machines, the resulting expression resembles the above expressions, but is 
slightly simpler. There is one variable vector x(n) with 1+54-0+/ components, has l+S+O 
components. As v^ith the Mealy machine, the triples (c .,r .,5.) must equal 

{Ci^.^l^.,Si_^^ for l</<^ where /is such that J^y^^ Cj>\ +S and 'Y^jZ] Cj<l+S. Set D='^^-^i Cj. In 
any case, D may not exceed the number of variables, so in the case where there are more function 
components than variables, there may be function components free of such 

restrictions when deciding upon triples for encryption. The partially encrypted state and output data 
after n applications of /f is defined as w 

The partially encrypted version of Hfor a BSS' machine is defined as: 

^i.^.o(^i(^i(«))v-->^K^K«))'^/./.i(^r.i(«))'--^fc(^^-/(«))))) (13) 

This ciyptosystem appears to be based on an NP-hard problem — ^that of decomposing the 
encrypted polynomial mapping to obtain the obscured polynomials doing the actual computation. 
Also, as in the univariate case, solution of the problem requires solving a system of non-linear integer 
equations, where there are half as many equations as there are variables. 

It is possible to re-encrypt a mapping £^^0/ partially encrypted with multivariate 
polynomials, such that: 

1 . None of the old encryption keys are revealed; 

2. None of the new encryption keys are revealed; 

3. The plaintext mapping/is not revealed; and 

4. None of the encryption keys protecting the new encryption keys are revealed. 

Let /be a mapping with n functional components expressed as polynomials in m variables. Assume / 
is partially encrypted using the key triples (Cprj,5j),...,(c^,r^,5^) as described above such that E^^°f 
may be written in the form given in equation (9). Re-encryption is achieved by: 

1 . selecting a new set of key triples (Cpr/,^ /),... ,(c^,r/,j-/) , such that block sizes 
are preserved; 
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2. for every l<i<k symbolically composing r/ with s. to generate r/(^ .(v)) ; 

3. for every l</<^ symbolically composing r. with to generate rJ(sl(w._l)) ; 

4. for every block of variables l<i<k, symbolically substituting w._j with 

5. for every block of function components v . , 1 < i<l, symbolically composing 
r/(^,(...))withr,.(/;.(...)). 

The re-encryption of a function component f. described herein according to the following equation: 

=r!(f,(sU-^i),...,sl(w,_;))) (14) 

so the result is/partially encrypted with the keys (Cj,r/,j/),...,(c^,r/,5'/) . Note that for the 
multivariate case, proper re-encryption is possible only if the new key triples partition f and its 
variables into the same blocks as the original key triples did. Since all (c.,r^^^) and (c.,rl,sl) are 
initially secrets, the compositions r/°j-. and rfsl are effectively encrypted data for purposes of 
cryptanalysis. It is important to note that equation (14) includes three instances of the use of the 
identity operator. In applying^.(r .(• •)) , the operators s and r cancel and could, therefore, be replaced 
by the identity operator. 

In order for the polynomial representation of Mealy machines, and the BSS' machines to be 
of significant usefulness, proper host support is required. Such support is called a Turing platform. 
This support is required for the subsequently described register machine. 
Call the host O. A Turing platform Tincludes: 

a very simple, slightly modified Turing machine with unbounded, linearly 
addressed storage, each storage unit being called a cell; and with a so-called 
finite control with position in the storage; 

an output register writeable by the finite control, which holds one storage 
unit; 

an input register readable by the finite control, which holds one storage unit, 
and one of three possible movement directions (left, stand still, right); 
an output register writeable by O, which is part of the input of the supported 
state machine; and 
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an input register readable by O, which is part of the output of the supported 
state machine. 

A complete computation step for a Mealy machine or a BSS' machine M supported by a 
Turing platform proceeds according the diagram of Figure 35 in which the numbered steps 
correspond to: 



1. 


Treads the cell at which its finite control is placed. 


2. 


r writes the cell to the input of M, 


3. 


O writes to the input of M, 


4. 


M computes the next state. 


5. 


M computes output and writes it to the input of T, 


6. 


M computes output and writes it to the input of O, 


7. 


M computes the direction of movement, and writes it to T, 


8. 


Treads from its input register, 


9. 


r writes the input to the cell. 


10. 


r moves left, right, or stands still, if possible. 



Use of a Turing platform to support the computations of Mealy and BSS' machines allows 
them to do completely general computations, if necessary, effectively making them equivalent to 
Turing machines in computational power. 

The basic structure of the method and apparatus of the present invention 
implements: 

1 . preprocessing of a Mealy machines' mappings in preparation for either transformation to 
polynomial mappings or direct encryption, 

2. transformation of Mealy machines' mappings to polynomial mappings, 

3. a BSS' machine, 

4. transformation of the mappings of BSS' machines to polynomial mappings, 

5. symbolic composition of mappings (including polynomial mappings) using their function 
tables, 

6. encryption of Mealy machines with finite controls, expressed as function tables, using 
composition of function tables, 

7. encryption and decryption of polynomial mappings and data using univariate polynomials, 

8. re-encryption of mappings partially encrypted with univariate polynomial mappings, 

9. encryption and decryption of polynomial mappings and data using multivariate polynomials. 
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10. re-encryption of mappings partially encrypted with multivariate polynomial mappings, 

11. a specialization of encryption and decryption of polynomial mappings with multivariate 
polynomials using two-variable polynomials, 

12. a device for supporting polynomial-based computation, 

13. a register machine well adapted to encryption by the cryptosystems presented herein, and 

14. a system for parametrized multivariate encryption presented, will now be described in detail. 

Using a modified notation as compared to above, a Mealy machine is a six-tuple 
M=(Q,ll,A,6,X,qQ) , where Q is the set of states, S the input alphabet, A the output alphabet, 
6:D^Q the state transition function, X:D-'A the output function, and the initial state. The 
domain D of 6 and ^ is a possibly trivial subset of Qxl^ . 

Prior to transformation, state machines are augmented, such that they halt in one particular 
state. This is necessary for Mealy machines and BSS' machines that are not intended for use with 
Turing platforms in their cryptographically enhanced form. The augmentation is also intended to 
partially obscure the workings of the machine by introducing redundant states and transitions, 
without affecting the machine's functionality during any error-free execution. Therefore, 
augmentation may be beneficial also for Mealy and BSS' machines intended for use with Turing 
platforms in their cryptographically enhanced form. The augmented machine will be called M'. The 
augmentation is carried out using the following steps: 

• If M does not have an output symbol B reserved as a "blank" symbol (i.e., a symbol 

indicating that there is no semantic content), add a new symbol B (which caimot equal any 
symbol in A) to the output alphabet A, setting A'=Au{5}, otherwise set A'=A, and call B the 
previously reserved "blank" symbol (also referred to herein as the stopping state output 
symbol). 

If M has a state geQ such that for all inputs oeH no pair (g,o) is contained in D, then call the 
state and define Q"=Q. If Mhas a state qeQ such that for all inputs oeS, 6(q,o)=q, call 
the state q^, set X(ci,o)=B for all inputs oeS, and define Q'^Q. Otherwise: 
• add a new state, such that -^qJ'^Q, 

for every node q^q^ such that 6(g,a)=q for all inputs ogI!, set b{q,oy=q„ and 

'kiq,a)=B for every oeS. 

Q" is the set of states of M. The state q^ hereinafter is referred to as "the augmentation state". M is 
the augmented Mealy machine. 

The next step is to determine the number of elements in Q and A, and how they are to be 
represented using (possibly one-dimensional) vectors over the ringZ;^ of integers modulo N. This step 
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determines the least possible selectable N. If the Mealy machine is to be represented using 
polynomials, A'^ must be a prime number. If the Mealy machine is to be represented using function 
tables, N does not have to be a prime number. When N has been selected, the elements of Q are given 
a representation in Z^,S^ \ fixed. Similarly, the elements of A are represented by elements in , 

1 fixed; and the elements of 2 are represented by elements in Z}^ ,1-^0 fixed. Thus, Q 'dZ^ , 
L^Z^ , and ScZ;^. 

• Set A -A. The next step can be done in four different ways: 

1 . Nothing more is done to complete the state transition table of M, and the undefined 
entries are marked as such. This requires an additional table with flags, each flag 
marking whether a corresponding entry in the state transition table is defined or not. 
This may only be done if the Mealy machine is represented using polynomials. 

2. If Q contains a number of states less than that representable within Z-^s, add dummy 
states to Q, until it contains 1<F states. If contains a number of inputs less than that 
representable within Z^/, add dummy input symbols to Y! ™til it contains iV 
symbols. If A' contains a number of outputs less than that representable within Z^o, 
add dummy output symbols to A' until it contains 1<P symbols. For each pair {q,d)$D, 
set ^\q,cfy=qa ^^'^ ^X<l,(^)-B, where 5 is a fixed symbol chosen from the output 
alphabet. 

3 . If gu {qj contains a number of states less than that representable within Z^ s , do the 
following until Q contains states: 

■ For a randomly chosen state qeQ (alternatively the current Q'- {^„}) add a 
state q' to Q'. 

■ For every input ogS set 6X^',o)=6(^,o). 

■ Optionally, one may also for every pair (9,o)eg'xS such that d{q,<})=q, 
randomly set 5'(gr',a) to q or q\ 

If S contains a number of inputs less than that representable within Zj^i, add 
dummy input symbols to S' until it contains N' symbols. If A' contains a 
number of outputs less than that representable within Z^o, add dummy output 
symbols to A' until it contains N° symbols. For each pair (g,a)f g'xS, set 
6'{q,a) to a random q' £Q and set A-Xq'jO) to a random symbol from A'. 

4. If Q contains a number of states less than that representable within Z^s, add dummy 
states to Q, until it contains 1^ states. If 2 contains a number of inputs less than that 
representable within Z^/, add dummy input symbols to 2' until it contains N' 
symbols. If A' contains a number of outputs less than that representable within Z^o, 
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add dummy output symbols to A' until it contains N° symbols. For each pair ig,o)$D, 
set 6Xq,o) equal to a random q'eQ and set A'(g,a) equal to a random symbol from the 
output alphabet. 

Define the domain of M to be Z) -g'x£'. The resulting M should now be somewhat 
differently from M, yet still compute the same function as M 

Three optional additional steps may be carried out, provided the augmentation made use of 
methods 2-4 above. Each of the options is independent of the others, so that any embodiment 
may elect to employ one of, two of, or all of the three steps described below. 

o First, it is possible to permute some or all of the states without affecting the 

computation carried out by M. When interchanging a state q with q', 6\q,a) takes on 
the old value of 6'(^',o) for every ogS', and vice-versa. Similarly, AXq,a) takes on 
the old value of X'(q',a) for every oeS'. The interchanges may be made one by one or 
may be entirely precomputed in the form of a permutation expressed using a ftmction 
table. 

o Second, it is possible to permute part or all of the extended input alphabet 2'. When 
interchanging a symbol o with a', dXg,a) takes on the old value of 6'(qr,o) for every 
qeg and vice-versa. Similarly, XXq,o) takes on the old value of X'(g,a') for every 
qGOf and vice-versa. The interchanges may be made one by one or may be entirely 
precomputed in the form of a permutation expressed using a fiinction table. These 
interchanges, however, must have corresponding interchanges in the output alphabet 
for any symbols used to represent state information. Changes must be made known 
to the host that is to execute the cryptographically enhanced Mealy machine if they 
affect inputs to be made by the host platform. Thus at some changes may have to be 
recorded during augmentation. 

o Third, it is possible to permute part or all of the extended output alphabet A'. When 
interchanging a symbol x with another symbol x', every XXq,a)=x takes on the value 
x\ Similarly every A'(?>o)=x' takes on the value jc. Similar restrictions apply to this 
operation as with the permutation of the extended input alphabet. Changes must be 
made known to the host that is to execute the cryptographically enhanced Mealy 
machme if they affect outputs to the remote host platform. Thus at some changes 
may have to be recorded during augmentation. 

Note that x, x\ q, g', a, o', k, X', and 6' may or may not have vectorized representations. 

The act of permuting certain vector components of, say o, is the same as selecting a 

subset of S' which one intends to permute. 
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The next step is the specification of what will be called the full state vector of M This 
vector is written: 

where x{i) is a vector containing the state of the Mealy machine after i computation steps, is a 
vector containing the output after / computation steps, and y(i) is a vector containing the input given 
at the i* computation step. This is a notational convenience, which is adapted to the subsequent 
descriptions of the cryptosystem(s). 

In some embodiments where the Mealy machine is represented using polynomials,, the 
coefficients of the polynomials 

a (x) = I n —1 mod N (15) 



for ieZ^ are precomputed and stored to improve efficiency. Note that henceforth, all computation is 
done modulo N. 

It is possible to compute the polynomial mappings for Ms represented with polynomials 
using interpolation as shown below: 

6(xjO= S a {x^)^•^a (xM(yi)"'a,(yj)bXx,y), and 

(rj)eD' ' s J, Jr 

X(x,y)= S a (Xi)-"fl (x>^.(yj)---« (y,)A''(x,j;) 

The resulting machine is called M. 

Given lifs state after n state-transitions, x(n), and the (w+1)" input y(n), the next state 
transition and output is computed by the mapping: 

b^im, Kn)), 6/x(«), K«)), 

Xi(x(«), y{n)), X^ix{n), y(n) 

The computation of M transformed is executed by iterating the mapping given in equation 16. This 
gives the relations (originally presented as equations (2) - (4)): 
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^ I 6(x{n - IX K« - 1)). M n >0 



(17) 



[ given for « = 0 



z(n) 



^ j l{x{n - 1), y(n - 1)), for n >0 
[ given for K =0 



(18) 



is given for n > 0. 



(19) 



The original machines defined by Blum, Shub, and Smale are defined over a ring R, each 

having: 



where S, O, and / are positive integers. The graph of any machine has four node variants, numbered 
by type in the list below: 



1. Input node ("node of type 1) 

This node has one outgoing edge to the node numbered («) and no incoming edges. 
The number of the input node is n. Associated with this node is the injective input 
mapping I:^ There is only one input node in any automaton over R. 

2. Output node (node of type 2^ 

These nodes have one incoming edge, and no outgoing edges. The computation of the 
automaton is finished when an output node is reached. Each of these nodes has an 
output mapping 0„: - Z?*^, where n is the number of the node in question. 

3. Computation node (node of type 3) 

Each node of this type, numbered n, has one incoming and one out-going edge to 
node number P(«). Each such node has a mapping g„ : ^ - R^ . g„is in general 
rational for R a field, and polynomial otherwise. 

4. Branch node (node of type 4) 

Each node number « of this type has one incoming edge, and two outgoing edges to 
the nodes numbered P"(«) and ^\n). Each such node has a polynomial or rational (for 
R a field) mapping h„ : I^^ R. If R is an ordered ring, the automaton "moves" to node 
P'(") when h„(x) <0,xe R^, and to node number PX«) when h„(x) S: 0. If i? is not 



a state space R ^, 

an output space R ^ , 

an input space R and 

a graph defining its computations. 
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ordered, the automaton "moves" by convention to node P (n) when h„{x) = 0 and to 
node number PX«) when h„{x) * 0. 
A BSS' machine "moves" by executing the following steps until it halts at an output 
node or cannot execute another computation step for some reason: 

1 . Compute the new state x g„(x); and 

2. Change "location" from node number n to the next node, which is node number P(k), 
or one of P^(«) or P'(«) for a branch node. 

The set of node numbers from 1 to p can be written N. A BSS machine thus has p nodes 
in all. The full state space of a Blum-Shub-Smale machine is then NxR ^. It is possible to express the 
computation of a Blum-Shub-Smale machine using only the "computing endomorphism" 

H: N X ^ N :sc R'. 

The computing endomorphism generally has the form 

H(n, X) = (P(«, g„m, 

where P is the next node function, computing the node the automaton is to "move" to when g, has 
been applied to the state vector x. The sign function, denoted by x(x), is defined as follows: 




X(x) = \l,x,=0 (20) 



function P(«, a) : N x {- 1,0, I } ^ Nisin general 



P(«, a) 



P(«), n < p and n is not a branch node 
P^(/7), n is a branch node and a = 0, 1 (21) 
P"(«), /7 is a branch node and a = -1 



In an 



alternate embodiment, an additional constraint is added such that p(j9) must equal p. 

In order to understand the extent of the modifications introduced later on, it is necessary 
to have an overview of the general functional composition of the computing endomorphism H. Fix a 



-30- 

Blum-Shub-Smale machine MoverZ^ for a prime number N. When N is a prime number, is finite 
field. Let B = {branch nodes in M}, and let a,(x) be defined as 



a.ix) = I n 4 1 mod A^, (22) 



When>' e N, a„0)=l if and only if n=y, otherwise a„(y) = 0. For 7 € N, a„(y) produces nonsense. It is 
necessary to know that P(y,a) = P(y, x(x)) is expressible as a polynomial, for which an expression 
can be found in the article by Blum, Shub, and Smale. When computing PCv,a) for a node, a = %{x) 
must be evaluated. Over a finite field it is possible to express jc as a polynomial. 

A mapping g(», x) = g„{x) does all "useful" computation in M. Let 



g J 



Generally, 



where/^,(^ and q„/x) are polynomials in general. If « is a computation node,^, is a polynomial in x 
with its dimension bounded by the dim M, and degree boxmded by deg M. If n is not a computation 
node, then g^iix)= 1 and p'„ (x) is identical to the /* component of x for all /. It is then possible to 
express g(n, x) as: 

This gives the explicit expression for the computing endomorphism for M in the form 
H(n, x) = (P(«, X(^), g{n, £)). (24) 



At this stage, /f is at best piecewise polynomial. In order to encrypt such a machine with polynomial 
mappings, it must be modified. 

For adaption to encrypted computation, the following changes are made: 
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An integer N is selected using the following criteria: 

1 . iV^ must be a prime number. 

2. iV^must be at least as great as the number of nodes {N>p). 

3. A'^must make allowance for any constants selected as important by the user, 
meaning that iV must be greater than any such selected constant. 

4. TV must accommodate any other requirements on it imposed by the user, if 
possible. 

R is restricted to the class of finite fields R = Zfj for the selected N. This ensures that 
no polynomials over Z^^ have more than A'^ coefficients, where d is the nvunber of 
variables of a given polynomial. This is due to the fact that for any x e Z^,, = x^' for 
some e>N-\ and 0<e' < N. 
Each g„ may only be polynomial, so each g„ , = 1 . 

By convention, nodes are numbered from 0 to/> - 1 instead of from 1 to p. 

The full state space concept is changed to include both the input and output spaces, 

such that the fiill state space § is now: 

giving 1+S + O + / components in all. 

Every mapping g„ is the identity for all the last / components. This ensures that the 
machine cannot write to input. 

No mapping g„ may have as variables any of the components 1+5+1 to 1+5 + O. 
This ensures that no output is used in further computation. 
All nodes accept input from the last / components in the full state vector 6 S 
without use of any special input mapping.. 

All nodes compute output to components number 1+5+1 through 1+5+0. 
There are only two types of nodes: 

1 . computation nodes: these may contain a computation, and/or a branching; 
and 

2. halting nodes: these nodes have at least two incoming edges (one from itself), 
and only one outgoing edge to itself. 

As an option, one may explicitly list halting nodes of the machine, or define certain 
output symbols as "hahing signals" (as per the symbol "5" for augmented Mealy 
machines), or do both. 
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Since the modified machines are constructed overZ^, which contains only non-negative 
integers, the original version of the branch node becomes meaningless. Instead, the next-node 
function takes the form P : iV^ x Z;^ - iV^. To simplify, require N c Z;^, even though one could make do 
with a smaller prime than some N>p for the state-space. This implies that p is extended to 

The selected replacement relation for branch nodes is a series of relations of the type 
e Kc (Zf^ - {0}). For each node n there is a list of mutually disjoint subsets of 
- {0} . Define K„ to be the union of all K^j. For any c Z^^, - {0} define 

b^z) - ( U^iz - mod N. (25) 



When z e Zf^, bf^z) maps to 1 if and only if z 6 is: and to 0 otherwise. The function exploits a 
property of elements of the finite multiplicative subgroup of the finite field Z^^, which effectively 
implies ' = 1 mod N. Since 0 is not in this subgroup, it does not satisfy this property, and thus 
cannot be included in K. 

Let BczZphe the set of all branch nodes. Using b^, it becomes possible to express P 
using a polynomial: 

P(«, X) = a,(n)A(i, X), (26) 

/ = 0 



n', i$ B 

= E " (1 - ^- ^^^^ 

The 

constants n\ n", and all n,j are all elements in Zp, the node space. This enables the expression of the 
computing endomorphism of the BSS' machine as a polynomial overZ^^^. Thus the computing 
endomorphism for the modified BSS' machine overZjv is: 



H{n, X) - P(«, x^), «/«)^, ' (28) 
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where 1 < < J is fixed for the node. 

It is also possible to take a further step, using the resulting polynomial expression to fill 
in a function table for H, such that computation can be done by using the function table. Such a 
function table may have its entries and indices represented in any vectorization deemed convenient 
for the purposes of its application. 

Let a mappingX^,,...^„)=(/',(xi,...^„),...X(j'^ir -r^m)) be given as a table indexed by 
(xi,...,jcj. The table entry (fi,.../„) at (xi,...,jcj is the mapping evaluated at (xi,...pcj. Assume /is a 
mapping from to Z^, where A', m and n are positive integers (that do not have to be prime 
numbers). Then / can be completely defined by its function table. 

The mapping/ is prepared for symbolic composition by generating a new function 
t:Z^m-*Zj^„. Every entry (fi,: ,f„) corresponding to (xi,...^„) is placed in entry number X=A'"" 
';c„+...+A^';c2+;c, as the number F=N^%+...+N^f^+f^. Note that X and F are both integers. 

Let g be a mapping from Z^ to Z^ and tg be prepared for gost was for / Denote by t^ihe 
function table defining the composition of g with / Symbolic composition of g with / is done by 
setting tJJC)=tg{t{X)) for every X£ Z^^m .Denote by t^, the function table defining the composition of f 
with hi,...,h^. Symbolic composition of /with hi,...,h^ is done by setting 
tj^(X)=tiir-\(X)+...+N't2(Xy^t,(X)) for every XeZ^„. 

After composition, the resulting function table may be converted back into a polynomial 
representation, provided Nisa prime number. Given a function table t : Z^m-^Z^„, t may be 
converted into a polynomial as follows: 

• Create a table t indexed by tuples on the form (jc,,...,x„), whose entries are tuples on the form 
(/„-../«)• 

• For every tuple of arguments, {x^,...^^: 

o compute X=N^^x„+...+N^X2+Xi . 

o Set F=t(X). Reduce F to a base-iV representation, such that F is 

represented by a tuple (fi,.../„). 
o Set the tuple in f indexed by to (/I,.../,). 

• Using f as the interpolation data, one may optionally symbolically interpolate a polynomial 
to find the polynomial form of the function composition. 

A function/can also be composed with multivariate functions which do not have a number 
of variables directly corresponding to /s number of components or a number of components directly 
corresponding to /s number of variables. Let a mappingX^i,...pi:„)=(/i(x,,...yC„),...j^(xi,...p£:^)) be given 
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as a table indexed by (x,,.. ,x„). The table entry at (jc„...^„) is the mapping evaluated at 

(X],...^^). Assume /is a mapping from to , where A', m and n are positive integers (that do not 
have to be prime numbers). Then / can be completely defined by its function table. 

The mapping/is prepared for symbolic composition by generating a new function 
t:Zj^„-^ Z^„ . Every entry (fi,.:/„) corresponding to (xi,...^„) is placed in entry number X=N^' 
^x„+...+N^X2+Xi as the number F=If'%+...+N/2^fi. Note thatXand F are both integers. There are two 
cases to be considered: 

1 . the symbolic composition of /with hi,...,h^ using function tables, such that one 
computesy(/Zj(Xj,...p£;^ ),/z2(-^^^^p...^^^,^p,...,/z/x^_^^,p...pfJ) , where 53f=i c.=m, every, c,- 
being a positive integer, and 

2. the symbolic composition of h^,...,hf, with/ using function tables, such that one computes 
{h^(f^{x^,...^J,.../^(x^,...^J),...,h^(f^^^^^ , where 53f=i c.=n , 
every, c, being a positive integer. 

For case 1, denote by tfl, the function table defining the composition of /with hi,...,hi,. The 
mappings h.'.Z^-'Zj^ are prepared for composition by computing a function table tf^.'.Z^Cj-^Z^c,, 
where every mapping value (/z. ^,...,h.^) corresponding to a (^a+p -Pf^+c)' where «=5!^=i 
placed in entry number ^=A'^''' ^^a+c.'''- +-^*^a+2"'"-'''a+l as the number if = A'' ^h.^ +...+N^h.2+h. ^ . 

The symbolic composition of f with hi,...,hk is done as follows: 

• For every i firom 1 to k set y. =N'^' . 

• Set a vector to (0,...,0) and reserve a vector 

• For every / from 0 to iV^ do: 
o Set te=0. 

o For every J from ^ to 1 do: 

o Set b;=tf,jibj). 

o Multiply u by jy. 

o Add bj- to u. 
o Set/^(Oto^/M). 

o Increment the vectorized index {bi,...,b,,), taking into account that 6, is in base yi, Z>2 is in 
base y2,.:,b^ is in basey^- 

After the composition, the resulting function table may be optionally be converted into a 
polynomial representation. This procedure is identical to that described above for the previously 
discussed function table compositions. 

For case 2, denote by ^^/the function table defining the composition of /with hi,...,h,,. The 
mappings h.:Zj^-*Z^ are prepared for composition by computing a function table .'.Z^c,-*Z^c,, 
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where every mapping value (.h. i,...,h.^) corresponding to a (x^^j,...^^^^), where «=5^j=l Cj, is 
placed in entry number X^N"-'\^^+...+N\^^+x^^^ as the number H=N"-'^h.^ -^...+N%^^^\^ . 
The symbolic composition of /?i,...A with/is done as follows: 

• Setyi=l; 

• For every / from 2 to A: set jV-=>'._jA'''^'"' . 

• Set a vector to (0,...,0) and reserve a vector (bi,...,bk). 

• For every / from 0 to A?" do: 

o Set u=tj(J). 
o Set q=0. 

o For every j from A: to 1 do: 

■ Set p to the integer result of ufyj. 

■ Set u=u-pyj. 

■ SetA,-to/;,/M). 

■ Add yjbj to g 
o Setr./Otog'. 

A function/can also be composed with multivariate functions that do not have a number 
of variables directly corresponding to/s number of components or a number of components directly 
corresponding to/s number of variables, and that in addition may "reuse" one or more variables. 
Thus each variable may be used in more than one mapping h„ and there is no explicit requirement 
that any given variable be used at all by any of the hf. Let a mapping 

fiXi,...;Kj==(Ji{xi,...^J,.../„(xi,...^J) be given as a table indexed by (x„...,xj. The table entry (fu-. /n) at 
(xi,...pc„) is the mapping evaluated at (xi,...^J. Assume/is a mapping from to Z^, where N, m 
and n are positive integers (that do not have to be prime numbers). Then/can be completely defined 
by its ftinction table. 

The mappings /may in some embodiments be prepared for symbolic composition by 
generating a new fimction t:Z^m-Z^„ as for previously described methods of composition. The 
mappings h^,...,K may be prepared similarly for some embodiments. As earlier,^ . denotes i* group of 
variables. There are two cases to be considered: 

1 . the symbolic composition of/ with K...,K, using function tables, such that one computes 
X/^j(x,(,^i),...^,(,^^^j),...,ft/x,(, j),...,x,(,^^p), where E^i ^C^^ ^very c, being a posith^e 
integer, each J.^ 1 , e{ij) is the index of the variable "originally fed to/' fed into the/" 
variable in mapping h;, and 

2. the symbolic composition ofhi,...,hk with /, using function tables, such that one computes 
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(^lC/e'(14)(-'''l'-'^m)'-"5^'(l,c,)(^l'-"'^/«)'^e(l,l)'---'^e{l,rfl)^^ 

where each c 1 , e'(y ) is the index of a component of f, each <i.> 1 , e{ij) is the index of the 
variable "originally fed to /" fed into the 7* variable in mapping h^. 

For case 1, denote by tjy, the function table defining the composition of /with h^,...,hf,. The 
symbolic composition of f with h^,...,h^ is done as follows: 

• Set a vector (ai,...,aj to (0,...,0). 

• For every i from 0 to N" do: 

o For every j from to 1 compute ^iffi^^ iy-'^e(f d )) ' 

o set tfl,{a^,...,a^)=fih^,...,h^y, 

o Increment the vectorized index (ai,...,a„). 

After the composition, the resulting function table may be optionally be converted into a 
polynomial representation. This procedure is identical to that described above for the previously 
discussed function table compositions, and requires that A'^ be a prime number. This composition 
method has many different potential embodiments, depending on the context in which the method is 
used. An example is the method of parametrized encryption of the register machine, presented later 
on, where this method is incorporated into the method of encryption in a highly specialized version. 

For case 2, denote by 4/ the function table defining the composition of/ with hi,...,ht. As with 
the variables in case 1, there is no explicit requirement that all components of/must be used. Also 
they may be used by more than one /?, mapping. 

The symbolic composition of /ij,...,^^ with/is done as follows: 

• Set a vector («„...,«„) to (0,...,0). 

• For every / from 0 to A'" do: 

o For everyy from k to 1 compute hj{f^ '(j,\r--^e'{j,c)^e{j,\y^c(j4)> 

o SQt tj^a„...,aJ=iK-A)- 

o Increment the vectorized index (ai,...,a„). 

As with the previous case, the result of this composition can be converted into a 
polynomial, provided A'^ is a prime number. Also this method of composition can be highly 
specialized, with actual embodiment characteristics depending on application context. In addition to 
using the composition method of the previous case, the parametrized encryption method also makes 
use of this composition method, and is an example of a specialized embodiment of the method. 

The method of encryption of polynomial mappings using univariate polynomials uses key 
pairs described by a prime number N and key pairs (r^, s^. The number N is given by the specification 
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of the mapping to be encrypted. Each key pair r, and 5, are univariate poljTiomials computing 
non- linear permutations of Zjy such that s,(r,(x)) = x for jc e Z^. From the particular properties of the 
field Zfj, r, and s, are always uniquely expressible as polynomials over Zjv with at most iV non-zero 
coefficients. Equal key pairs are allowed, such that for some / and some ji^i, r, = and s', = Sj. The 
user may also choose to let some pairs be the identity mapping x, such that r,=s, = x. All apparatus 
for computations described below may or may not make use of precomputed tables for one or more of 
the following operations, dependent on what the most efficient means of computation for any given 
operational environment is: 

addition modulo N 

• subtraction modulo N 

• incrementation modulo N 

• exponentiation modulo N 
multiplication modulo 

• multiplicative inversion modulo N 

One assumes the user has a source of random numbers (or pseudo-random numbers with 
period much greater than I^). The number of key pairs (r,, 5,) to be generated is dependent on the 
number of function components and variables in the plaintext mapping. 

In one embodiment, the coefficients of the functions 

ajiix) = n 

0<.j<Nj*k k - J 

are precomputed modulo A?^ using an algorithm based on Horn polynomial evaluation and stored in a 
two-dimensional array a{k,j), where 0 <. k<NgiYes the function subscript, and 0 <J<N the 
individual coefficient. In an alternate embodiment, the coefficients are calculated as needed. 

The procedure then generates pairs (r„ si) for those key pairs not chosen to be the 
identity mappings, and those not copied from previously generated key pairs (because they are chosen 
to be equal). 

Accordingly, for each pair, let R and S be arrays of N numbers in Zj^ indexed firom 0 to 
A^- 1 . Every element of -S" is initiated to the negative integer - 1 . For every 0 < ^ < a random number 
J e is generated until S(j) = - 1 . Then one sets R(k) =j and S(j) = k. 

The encryption key r,{x), which is a univariate polynomial, is then symbolically 
interpolated using the array R according to the expression: 
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nix) = E aix)R(/). 

7=0 

Thus the A* coefficient is computed as the 

AT-l 

[S a(j,k)R(j)\mod N 
Similarly, the decryption key s^ix) is interpolated using the array S according to the expression: 

The coefficients of s, are computed in the same manner as for r,. If r, and s, are linear, the procedure is 
repeated until r, is non-linear or a preset limit for generation attempts is exceeded. 

Only polynomial mappings in the form h : Z^^Z^ where 
h(xi, . . . , = {hi(xi, ...,Xj),..., hXxi, x^)) may be encrypted. Prior to encryption, one must 
decide which ;c, to decrypt. Let /G{e+1, . . . , e+d} be this set. In addition, one must decide which 
mapping components to encrypt. Let Jc{l, . . . , e} be this set. All keypairs (r„ s,) such that i^IuJ 
are then set to the identity mapping x. 

Encryption is achieved by replacing each Xj where (j+e) e /, with Sj^.XXj ), and each h,( ) 
where / e J with r,(/2,(- • - )), such that one composes r, with h, symbolically. The resulting expression 
will be: 

The mapping h is thus encrypted with the key pairs (rj, 5,), . . . , (r^+d, s^^^) using symbolic 
function composition. This results in a polynomial mapping: 



H(x^, x^) - xJ, Hp,, x^y). 
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where inputs with index in / are taken in encrypted form and decrypted, and other inputs are taken in 
plaintext form. The original computation h is applied, and components in J are output in encrypted 
form, while the rest are output as plaintext. 

Decryption is not meant to be performed on encrypted polynomial mappings, only 
encrypted data. A datum xeZf,\s encrypted by applying r, giving = r(jc). Similarly, an encrypted 
datum y is decrypted by applying s, giving x = s{y). 

In particular, the expressions for the partial encryptions of Mealy machines will in 
general be in the form given in equation (6), duplicated below with the / index in the original 
equation replaced by L: 

(E^fH) (xin^l), zin^\)) = 

rj(§i(5',(Xj(«)),...,5/x/«)),j25^o^i(yi(«)),...,52^^o^^(y^(«))),..., 

''5.l(^l('^l(^l("))'-"''^5(^/«))'*2S+O+l(>'l(«))'"-''^25.O.i0^i(")))'"-' 

In the above equation, the r,s and s,s are key pairs as above in this sub-subsection, 
except that / and J may now contain indexes pointing to components formally given in different 
vectors. 

For a BSS' machine, the resulting expression for the partially encrypted machine is of the 
form given in equation (7), duplicated below with the / index in the original equation replaced by L: 

^l+S+O*S*0*2^-'^S+0+2^^y)'---->^l+S+O*S+0*L*l^-'^S*O+L-^l^'^y^'---' 

In the above equation, the r^s and s,s are key pairs as described above. 

In a method of re-encrypting polynomial mappings partially encrypted with univariate 
polynomials, let /be a mapping with n functional components expressed as polynomials in m 
variables. Assume /is partially encrypted using the key pairs (r^, Si), . . . , (r„^„ , s„+„), such that E^ , ° f 
may be written in the form given in equation (5). 

Re-encryption is achieved by: 
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1 . generating a new set of key pairs (r[,s'i ),..., r'„^„ , s'„^„ ) possibly subject to the 
same constraints of the original encryption off, 

2. for every 1 < / < n+m symbolically composing r, with Si to generate r, {Sjixf), 

3. for every 1 < / < n+m symbolically composing with s, to generate r,{s, (x)), 

4. for every variable x„n<i < n + m, symbolically substituting x, with r,(s, (x)), and 

5. for every function component f„ I < i < n, symbolically composing with 

rm. ■ ■ ))• 



The method of encryption of Mealy machines with permutations of Z^y, defined using 
state transition mappings and output mappings, uses function tables to express the state transition 
mappings and the encryption and decryption functions. The method uses key pairs are 
permutations of 7.^. The state transition mapping is 6', and the output mapping is X\ 

This method can encrypt mappings of the form: {b\X'):Z^*^-*Z^*^ , with corresponding 
function table 4 effectively representing a function: 4: Zj^s*i^Zj^s*o. 

To simplify notation consider (6',A') as the mapping h{xx,...,x^={hi(pci,...,x^,...,hJixi,...,x^'), 
where d=S+I, and e=S+0. The actual order of the components of 6' and X' in h may vary from 
embodiment to embodiment. Prior to encryption, one must decide which x-, to decrypt. Let 
Kc{e+\,...,e+d) be this set. In addition, one must decide which mapping components to encrypt. Let 
J^{\,...,e} be this set. All key pairs (r;,*,) such that leA^uJare then generated. Different pairs of keys 
may or may not be equal, depending on choices made by the user. Thus it is possible to have r,-rj and 
s-rSj for some />/. Key pairs (r^s,) such that /C^TuJare meant to be identity mappings, and are left 
unused by the method described here. 

Key generation is done as with encryption using univariate polynomials. For each ieKuJ 
do the following: 

• For every j from 0 to iV- 1 set Si(j)= - 1 . 

• For every k from 0 to A'- 1 : 

o Generate a random number jGZfj until SiQ)= - 1 . 
o Set riik)=j and s,<jy=k. 
Encryption is achieved as follows: 

• Reserve a temporary table t^' defining a function 4': Z-^s^nZ-^s^o . 

• Initialize a vector (xi,...,xj) to (0,...,0). 

• First do symbolic composition of the inputs assumed to be encrypted with the relevant 
decryption functions (using function tables). For every i from 0 to A''''-l do: 

o Set k==0. 
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o Partially decrypt (xi,...^j) by doing for every j from dtol: 

■ if J+eeK, then set yj=Sj^X^^ otherwise set yj=Xj 

■ Set k=kp+yj 
o Set 4'(^)=4(0- 

o Increment the vector x as if it were a number in base-iV representation. 

• The powers iV,...^"' may optionally be precomputed at this point, any previous point in this 
method, or may be read from a table precomputed independently of this particular method. 
Second: symbolic composition of the outputs that are to be encrypted with the relevant 
encryption functions (using function tables). For every / from 0 to N'-l do: 

o Set;k=f;(/). 

o Compute a vector (x,,...,jcj from k. 
o For every j from dto 1 do: 

■ if jeJ, then set yj=r'j(xj) otherwise set yj=Xj 

o Evaluate (yi,:;yd) as digits of a number in base-A'^ representation to give the number 
m. 

o Set h\i)=m. 

• Lastly,copy the function table of t^' to the function table of t^. 

Re-encryption is identical to the method for the direct polynomial representations, except that 
all mappings are always represented as function tables: 

1 . Generate a new set of key pairs (ri,Si'),...,(r^„',s^„'), possibly subject to the same constraints 
applied to the original encryption of h. 

2. For every 1 <i<w+w symbolically composing r- with Sj to generate the function table for 

3 . For every 1 < i<n+m symbolically composing r, with s,' to generate the function table for 
r,is,Kx)). 

4. For every variable Xf in h where n<i<n+m, symbolically substituting Xj with rX5/(x)). 

5. For every function component ft,, lii<n, symbolically composing rlis^x)) with r^i-.^)). 

The method of encryption of polynomial mappings using multivariate polynomials uses key 
triples (c„ r„ s,) with the following properties: 

1 . c, is an integer such that c, ^ 1 

2. r, and s, are bijections (permutations) from Z^' to Z^', where is a prime number 
given by the specification of the machine to be encrypted. 



-42- 

3. r, and s, are selected so they are non-linear. 

4. Each component r,j of and s,j of s, is expressed as a multivariate polynomial from 

Zy' into Zjy. 

The mappings r, are the encryption mappings, and are written 
The mappings 5, are the decryption mappings, and are written 

Different c,s may be chosen to be equal such that for some i and some j * i, c, = Cj. 
Furthermore, if c, = Cj for some j * i, then one may choose to set r, = and = Also, r, and may 
in general be set to the identity mapping (Xj,...yX^ ) for one or more i. 

From the particular properties of the field Z^^, it follows that r, and s, are always uniquely 
expressible as polynomials over with at most N'^' non-zero coefficients. 

All apparatus for computations described below may or may not make use of precomputed 
tables for one or more of the following operations, dependent on what the most efficient means of 
computation for any given operational environment is: 

• addition modulo A'^ 

• subtraction modulo N 

• incrementation modulo 
exponentiation modulo A'' 

• multiplication modulo N 
multiplicative inversion modulo A'^ 

The number A'^ is given by the specification of the mapping to be encrypted. It is assumed that 
the user has a source of random numbers (or pseudo-random numbers with period much greater than 

. The selection of block sizes c, are specified by the user. When this is done, the number of 
triples (c„ r„ to be generated is dependent on the number of function components and variables in 
the plaintext mapping. 

In one embodiment of the present invention, next the coefficients of the fiinctions 

a^(x) = ( n mod A^ 
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are precomputed using an algorithm based on Horn polynomial evaluation and stored in a 
two-dimensional array aikj), where 0 < k<N gives the function subscript, and 0< j <Nthe 
individual coefficient. In an alternate embodiment, the coefficients are computed as needed. 

The procedure then generates triples {c„ r„ s,) , for those triples not chosen to be the identity 
mappings, and those not copied from previously generated triples (because they are chosen to be 
equal). 

Accordingly, for each triple, select c„ and let R and S be arrays of N'^Xc.+I) numbers in Zj^ 
indexed by two indexes: the first from 0 to A^"^'- 1 , the second from 0 to c. . Every element S{k, 0) is 
initiated to the negative integer 

For every k such that 0<k<N'^', the following steps are executed: 

1 . A random number J^Z^c, is generated until S(j) = - 1 . 

2. R(k, 0) is set equal to j and S(j, 0) is set equal to k. 

3 . The base-iV^ representation of k is computed and stored in S(j, 1) to S(j\ c,). 
This is the c^. -tuple or -vector, which k represents. This will be used to 
symbolically compute the polynomial mappings of s,. 

4. The base-TV representation of j is computed and stored in R(k, 1) to R{k, c,). 
This will be used to symbolically compute the polynomial mappings of r,. 

Let the polynomial /be given as 

k = Q 

f converts a base-iV index vector with c^ components to one index integer 0<1<N'^' . 

The encryption key r,(x), which is a vector of multivariate polynomials is symbolically 
interpolated using the array R according to the expression: 



Similarly, the decryption key s,(x) is symbolically interpolated using the array S according to the 
expression: 
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The process of encryption and decryption is ellaborated below. Assuming series of triples 
{c■^, Ti, Ji), . . . , (Cjt, r^, s^, and letting be a polynomial plaintext mapping 



As a convention, the function components of h are grouped in groups of Cj, . . . , c, 
components. That is: the first group contains Cj function components, the second Cj components, etc. 
up to the /* group, which contains the last c, components of h. The 7* 
group of function components may for brevity's sake be written Vj m the following, where 



Similarly, the variables are grouped in groups of c^^j,...,c^ variables, such that the first group 
contains c^^ j variables, the second c,+2 variables, and so on to the last group, which contains 
variables. The /" group of variables may for brevity's sake be written Wj in the following. 

Prior to encryption, one must decide which groups Vi^ of variables to decrypt. Let / c , . . 
. ,k}he the set of indexes of variable groups to decrypt. In addition, one must decide which groups Vj 
of function components to encrypt. Let Jc {1, ...,/} be the set of indexes of function component 
groups to encrypt. 

Encryption is then achieved by replacing each group of variables -Wj where j+l e / by the 
mapping Si^j{wj ), and each group of fimction components where j G J with r/v,(. . . )) such that one 
composes r, with y, symbolically. The resulting expression will be: 



creates 





6=1 



(''i(^i(^/.i(i^i)'-'^/^/t-/))'-'^/(^/('^/.i(^i)'-"^fe(^fc-;)))' 



which, when written out, is: 

Inputs in a group whose indexes are in / are taken in encrypted form and decrypted before 
use, while the other inputs are already in plaintext form. The original mapping is applied to the 
decrypted and plaintext inputs, before those components in a group whose index is in J are encrypted. 
The remaining components are output as plaintext. 

Decryption is not meant to be performed on partially encrypted polynomial mappings, only 
on encrypted data. A datum w .eZj^ is encrypted by applying r„ giving)^ = r,{ w)). Similarly, an 
encrypted datum y, is decrypted by applying s„ giving w, - s,{y^. 

The partially encrypted state and output data after n applications of /f (for the Mealy 
machine) is written 

(vP,(n),...,w^_X«)). 

The general expression for a partially encrypted Mealy machine may be written as in 
equation (11), duplicated here: 
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x(« + l)^«+l)) = {E^oH)ixin\m) = 



or as in equation (12), duplicated here: 

Xo(^i(^i(«))v..,^.<«)),^,.r.i(^f.i(«))'-"'^M>))))) (30) 

In both the above equations / is such that D = 21j=,c, ^ 5", and D - Cj< S. The number of 
mapping components is 5 + O: 5" in the next-state mapping h, and O in the output mapping X. The 
first equation is for the case where D = S, and the second for the case where D> S. The r,s and s,s are 
the encryption keys in the triples chosen during key generation. 

For the BSS' machines, the resulting expression resembles the above expressions, but is 
slightly simpler. There is one variable vector jc(«) with I + S+ 0 + 1 components, has I + S + O 
components. As with the Mealy machine, the triples (c„ r„ s,) must equal (c,+„ r,+„ for !</</, 
where f is such that Sjli ^ l+S and SJ l{ c, < 1 + 5*. Set D = Sj=i Cj. In any case, D may not exceed 
the number of variables, so in the case where there are more function components than variables. 



there may be function components free of such restrictions when deciding upon triples for encryption. 
The partially encrypted state and output data after n applications of if is defined as 



{w^{n),...,-w^_fn)). 

The partially encrypted version of for a modified BSS' machine is defined as equation (13). 

It is also possible to re-encrypt polynomial mappings partially encrypted with multivariate 
polynomial mappings. Let /be a mapping with n functional components expressed as polynomials in 
m variables. Assume /is partially encrypted using the key triples (q, r„ s^), . . .,{c^r^ s^, such that 
£^ jO/may be written in the form given in equation (9). Note in particular that there are / 
groups/blocks of function components and k - 1 groups/blocks of variables. 

Re-encryption is achieved by: 

1 . generating a new set of key triples (Ci, r[,s[), . . . , (c^, r'^ , s'^, such that block sizes 
are preserved, possibly subject to the same constraints of the original encryption of/ 

2. for every \ < i<l symbolically composing with 5, to generate r,- {s. {■■■)) , 

3. for every \<i<k symbolically composing r, with to generate r.{s^ (■ •)) , 

4. for every block of variables w„ / < i< k, symbolically substituting iv, with rfs^ (wj) , 
and 

5. for every block of function components v„ 1 < i< 1, symbolically composing (s. (;■•)) 
withr,(/;(. ..)). 

Encryption of polynomial mappings using two-variable polynomials, is an important special 
case of encryption using multivariate polynomials, where all c, = 2. The only differences between the 
general multivariate case and the two-variable case will be in the way some of the mathematical 
operations are implemented, as different algorithms are optimal for different cases. 

The method of encryption of Mealy machines represented using function tables with 
permutations of Zj^c for some c^l, uses triples (c.,r.^) with the following properties: 

1 . c . is a positive integer. 

2. r. ands. are bijections (permutations) from Z^' to Z^' expressed using function tables 

3. r. and s. are selected such that they are non-linear. 

The mappings r. are the encryption mappings, and the s. are the corresponding decryption mappings. 
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Different c.s may be chosen equal such that for some i and some jH,c^-Cj. Furthermore, if 
Cj=Cj for some then one may choose to set r.=r^. ands.^Sj. Also, r. and s. may in general 
set to the identity mapping(Xj,...,x^) for one or more i. 

The number N is given by the augmented Mealy machine M. When generating the key 
triples, it is assumed that the user has a source of pseudo-random numbers with period much greater 
than N'"*" . For each triple {c.,r.,s^ select c. and let . and/^ . be function tables of r. and s., 
respectively. The tables . and . of A'^'^' numbers in Z^' are indexed from 0 
toA'^'^'-l . Every element in t^. is set to -1. 

For every k from 0 to JV^ '-1 do: 

• A random number/eZ^c, is generated until S(j)=-1. 
Setf^ .(^) =7 andt^Jj) =k. 

When key generation is finished, there will be a series of friples (c^,r^,s^),...,{Cf^^|^^^ . This series of 
triples can be used to encrypt mappings of the form: (6',A,') =h:Z^*^-^Z^*^ , with corresponding 
function table effectively representing a function: tj\Zj^s^r^Zj^s*o. The actual order of the 
components of 6' and X' in h may vary from embodiment to embodiment. The mapping h is assumed 
to be on the form: (h^{x^,...^^,...,hjix^,...^^) , where d=S+I, and e=S+0. 

The generated key triples can partially encrypt provided: 
1 . there exists some / such that 1 <l<k and ' 

To simply notation denote the jth group of function components v^.=(/z^^j,...,/z^^^), where 
a=5j^ii . Similarly, group the variables into groups of Ci^^,...,Cj^ variables, such that the jth group 
of variables is written: "^^j=(Xa^v-,x^^c wherea=5j'^"Ji c^^^. Prior to encryption, one must decide 
which groups Wj of variables to decrypt. LetKc{l+l,...,k} be the set of indexes of variable groups to 
decrypt. In addition, one must decide which groups v^. of function 
components to encrypt. Let Jc{l ,...,/} be the set of 
indexes of function component groups to encrypt. 

Encryption is achieved as follows: 

• Reserve a temporary table defining a function t^iZj^d^Zj^ ^ ■ 

• For every i from Itok set y. -N'^' . 
SetZj-1. 

• For every / from 2 to / set z.=y._.iZ._^ . 

SetZ;^j=l. 

• For every / from 1+2 to k set z.-y._^z._^ . 
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• Initialize a vector (Z>p...,6^_;) to (0,...,0) . This vector represents the k-l 
variable blocks, m a base N'^' representation. For each variable block i\ 
bi=Y^j:[ where a^J^Z] Cj^^. 

• Reserve a vector(6/,...,Z»/_;) . 
For every / from 0 to A'^ 1 do: 

Set w=0. 

• For every j from ktol do: 

• if Sj is not the identity mapping setbl_i=rjibj_^ else set bj_i=bj_i. 

• Multiply u by yj . 

• Add bj-_i to u 
Set//(0=r;,(w). 

• Increment the vectorized index (Z) i,-;b^_ ) , taking into account the different sets from 
which the individual components may be taken. 

• Reserve a vector(b^,...,bj) . 

• For every / from 0 to iV 1 do: 

Set u=tl(i). 
Set g = 0; 

• For every j from / to 1 to: 

• Set p to the integer result of u/Zj . 

• Subtract pZj from u to get the remainder. 

• Set bj=u. 

• if rj is not the identity mapping set bj ~rj(bj) 

• Add Zjbj to q. 

• Lastly,copy the function table of tf^ to the fiinction table of . 

Decryption is not meant to be performed on partially encrypted ftinction tables, only on 
encrypted data. A datum w .eZj^ is encrypted by applying .^^ to the evaluation of the polynomial 

It is also possible to re-encrypt fimction tables partially encrypted with key triples {c.,r.,s) . 
Let hhea mapping over with n ftmctional components and m variables expressed as a function 
table r^:Z^„->Z^„. Assume that h is partially encrypted using the key triples (Cj,rj,5j),...,(c^,r^,5^) . 
Take the first / of these to be triples applied to fiinction components (although this may vary from 
embodiment to embodiment) and last k-l to be triples applied to variables. 
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Re-encryption is achieved by: 

1 . generating a new set of key triples (Cj,r,',5'/),...,(c^,r/,5'/) , such that block sizes are preserved, 
possibly subject to the same constraints ofh's original encryption; 

2. for every 1 </</ symbolically composing r/ with s. using their function table representations 
to generate a new function table representation forr/(5 .(v)) ; 

3. for every l<i\leq k symbolically composing r. with 5/ using their function table 
representations to generate a new function table representation for r .(5^- (#)) ; 

4. for every block of variables w., l<i^k symbolically substituting vP . withr/(5'j.(w)) using the 
already available function tables; and 

5. for every block of function components v., 1 < i<l, symbolically composing r-(s.(-)) with 
r.(h.{-y) using the already available function tables. 



As described above, Turning Platform is a device supporting polynomial and encrypted 
polynomial computations. In order for the polynomial representation of Mealy machines, and BSS' 
machines to be of significant usefulness, proper host support is required. If a host is referred to as 
"O", then a Turing platform T includes: 

• a very simple, slightly modified Turing machine with unbounded, linearly addressed 
storage, each storage unit being called a cell; and with a so-called finite control with 
position in the storage 

an output register writeable by the finite control, which holds one storage unit 

• an input register readable by the finite control, which holds one storage unit, and one 
of three possible movement directions (left, stand still, right) 

• an output register writeable by O, which is part of the input of the supported state 
machine 

an input register readable by O, which is part of the output of the supported state 
machine 



A complete computation step for a Mealy machine or BSS' machine M supported by a Turing 
platform proceeds according to the following steps: 

1 . T reads the cell at which its finite control is placed 

2. r writes the cell to the input of M 

3 . O writes to the input of M 

4 . M computes the next state 

5. M computes output and writes it to the input of T 
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6. M computes output and writes it to the input of O. 

7. Mcomputes the direction of movement, and writes it to T 

8. Treads from its input register 

9 . T writes the input to the cell 

10. r moves left, right, or stands still, if possible 

Note that the inputs to the Min points 2 and 3 above are supplied to different components of 
the same input vector. Similarly, all generated outputs mentioned in points 5, 6, and 7 are extracted 
from different parts of Af s output vector. The computation halts either when M outputs a 
predetermined "halting" signal to the host via its designated output-to-host, or when the host detects 
that M is stuck in one state, is outputting only a "5" to the writeable register, and is not moving the 
finite control of the Turing platform about. 

Use of a Turing platform to support the computations of Mealy and BSS' machines allows 
them to do completely general computations if necessary, effectively making them equivalent to 
Turing machines in computational power. 

A register machine is constructed to enable more efficient use of cryptographically enhanced 
machine representations. Different embodiments of the register machine are possible and two distinct 
types are discussed below. Different embodiments may further be combined to provide register 
machines with different capabilities. 

Embodiment 1 : Allows random memory access, but does not allow universal Turing 
computation. This type of register machine consists of the following: 

2. A set = of vectors of integers inZj^ indexed by vectors also in . Each Pj- can 
be thought of as an instruction. 

3. Either a vector 5* indicating the end of the program in P, or a constant T, which functions as 
an instruction indicating that the computation is finished. 

4. A vector CeZ^, which functions as an instruction pointer. 

5. A set 'S'=|s^. .^^1 of vectors of integers inZ^ indexed by vectors also in Z^ . Each S. is a 
storage "cell". 

6. A vector DeZ^, which functions as a storage pointer. 

7. One or more registers(^j,... of vectors of integers inZ^ for 0<m<N. 

8. The next instruction pointer mapping jiR^,...,R ^,Pg,S^,C,Dy. Z^^'"*'^^-'Z^ . 

9. The next storage pointer mapping giR^,...,R^,P^,Sg,C,Dj : Z^^ ^^-^Z^ . 

1 0. A specification of the registers that accept input from the host platform. 
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11. The register transition mapping h{R.^,...,R^,Pg,Sg,C,^:Z^"^*^^^Z^ , where k, 0<k<m, 
is the number of registers not accepting input from the host platform. 

1 2 . The storage transition mapping q{R^,..., R^, ,Sq,C,D^: Z^'" Z^ . 

This type of register machine can accept input from its host platform in one or more of the following 
ways: 

through one or more registers, 

• through one or more selected "cells" in the storage space, 

• through the initial contents of the storage space, 

• through the initial contents of the instruction vectors. 

In the case where one or more registers are used, the register transition mapping is adjusted so that it 
does not alter the contents of the registers accepting input from the host platform. The register 
machine may come with a list of registers and storage locations that fimction as outputs to the host 
platform. 

A computation with this type of register machine is initialized with the following steps: 

17. The initial values of Ry,...,R^, C,D are given. Initial values for one or more storage cells 
in S may also be given. 

1 8. All the elements in P are given. 

19. Compute and Sg. 

The computation step of this type of register machine consists of the following steps: 

20. Compute the next instruction pointer: C^=f(R^,...,R^,Pg,Sg,C,Dj. 

2 1 . Compute the next storage pomter: & =g{R^,...,R^, Pc,Sq ,C, Dj . 

22. Compute the value to be written to the current storage cell: S' =q{R-^,...,R^,PQ,Sg,C,D^. 

23. Compute the register transition mapping: ,...,Rj^=h{R^,...,R^,P^,Sg,C,D^, where/j,... 
specify the registers which the register machine may change. 

24. Set =S\ C = C', and 3 =3'. 

25. Compute P^ and Sg. 

The computation is considered to be ended when the instruction pointer takes on the "end-of- 
program" value, or when a specified "stop" instruction is encountered, depending on the embodiment. 

This type of register machine may be implemented using either a polynomial or function 
table representations of the mappings /, g, q, and h. These mappings are multivariate mappings over a 
finite ring of integers, and may thus be encrypted using any of the previously described methods of 
encryption. During use, there are no requirements as to when the host platform changes registers 
accepting input, and no requirements as to when the host platform reads from designated "output" 
registers/storage cells. This allows computational work to be minimized. 
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Embodiment 2: Extends the capabilities of the above register machine, allowing universal 
(Turing) computation. This type of register machine consists of the same elements as embodiment 1, 
but has in addition the following: 

26. The specification of a register dedicated to output of movement direction, in the form of an 
integer J such that 0<>'<m, and an integer z such that 0<z<d. The integer 7 indicates the 
register, and the integer z, the component in which this movement is stored. 

27. The specification of a register dedicated as output to a Turing platform. 

28. The specification of a register dedicated as input from a Turing platform. 

29. A Turing platform, where each storage unit is a vector in Z^. 

The computation for this second embodiment of a register machine is identical to the first, 
except that there is a requirement that the host now also do a Turing platform computation step using 
the specified registers. 

These register machines are amenable to method of encryption similar to those previously 
described. This method is difficult to implement with the previously mentioned Mealy-machine and 
BSS'-machine variants. 

Encryption of register machines uses multivariate mappings. The mappings of the register 
machine and the mappings used for encryption, may be represented either with polynomials or with 
function tables. If the mappings are represented using polynomials, iVmust be a prime number. If the 
mappings are represented using function tables, iVonly needs to be big enough to accommodate the 
abstract machine on which the mappings are based. The encryption technique used is similar to those 
previously discussed, in that it uses symbolic functional composition to encrypt the mappings used to 
express the register machine. The difference is that every element read from a register or storage cell 
is encrypted with a key specific to each register or storage cell. Thus encryption and decryption 
functions take register nimiber or storage cell mdex vector as addition parameters. The encryption 
function for any register number i is rj(R .) . The decryption function for any register number / is 
s.(R .) . The encryption function for any storage cell indexed by D is v(Sq,D) . The decryption 
function for any storage cell indexed by D is u(Sg,D) . 

Prior to encryption, the user selects a subset I^S of storage cells to be encrypted. The user 
also selects a subset J^{l,...,m} of registers to encrypt. In one further generalization of this 
embodiment, it is possible to select storage cells and registers that are decrypted when used as 
arguments in the mappings /, g, h, and q, but not encrypted when being written to. In such a fiirther 
generalization, it is also possible to select storage cells and registers that are read as plaintext, but are 
encrypted when written to. 

The pair (r^,s^) for a given n is generated as follows: 
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1 . Two tables are defined, Fand U, each with A^^ "^^m elements. 

2. Set every U{ij)=- 1 for all (v) such that 0<i<A^ '^-1 and JeJ. 

3 . Set every U{ij)=V{iJ)=i for all (y) such that 0<i<N 1 and j^J. 

4. For every / from 1 to /w do the following if JeJ: 
a. For every i from 0 to 1 do: 

i. Select a random b from Oto N^-\ until f/C^J,/) =- 1 . 

ii. Set U{bj)=i and r(v)=6. 

If r. and 5. are represented as pol5Ttiomials, is interpolated using the elements of F converted to d- 
vectors, and s. is interpolated using the elements of i7 converted to i/- vectors. If r^. is represented as a 
function table, the fimction table of r . containing lumped-together arguments and mapping values is 
set equal to V. Similarly, if s^ is represented as a function table, the function table of s. containing 
lumped-together argvunents and mapping values is set equal to U. 
The pair (v,m) is generated as follows: 

5. Two tables are defined, Fand U, each with A^^'x \S\ elements, where \S\ is the number of 
elements in S. 

6. Set every U{ij)=- 1 for all (v) such that 0 < i<N ''-1 and jel. 

7. Set every UiiJ)=ViiJ)^i for all (//) such that (i<i<N and 

8. For every j from 1 to \S\ do if jel: 

a. For every / from 0 to iV^ 1 do: 

i. Select a random b from 0 to 1 until U(bJ) =- 1 . 

ii. Set U{bj)=i and F(y)=*. 

If V and u are represented as polynomials, v is interpolated using the elements of F converted to d- 
vectors, and u is interpolated using the elements of [/converted to J-vectors. If v is represented using 
its function table, the table for v with lumped-together arguments and mapping values is set equal to 
F. Similarly, if u is represented using its ftmction table, the table for u with lumped-together 
arguments and mapping values is set equal to U. 

Both of the register machine embodiments can be encrypted in the same way. Encryption 
proceeds as follows: 

9 . Generate the key pair (v,m), where v, u : Z^-* . 

10. Generate the key pairs where r.,s. : Z^-^Z^. 

11. In the mappings /, g, h, and q, for each ieJ, symbolically substitute with s(R.,i) . 

12. In the mappings f, g, h, and q, symbolically substitute S with u(S,D) . 

13. Symbolically compose h with v, giving v(h(-),D) . 

14. Symbolically compose q with v, giving v(^( -•)5^) • 
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Due to the parametrization, a more general type of multivariate encryption is required: parametrized 
multivariate encryption. The mappings of the register machine may be combined to a mapping 
H{R.^,...,R^,Pg,SQ,C,D^ where the above six conditions merely lay restrictions on the use of 
parametrized encryption, so that the partially encrypted machine has a chance of working. 

Parametrized multivariate encryption is done using key quadruples (c.,g.,r.,s^) applied to 
groups of variables and mapping components as for multivariate encryption. This operation can be 
applied to any mapping: h:Z^^Z^ . If the encryption is to be applied when his a. polynomial 
mapping, iVmust be a prime number. The number of variables or mapping components grouped 
together in the i* group is c. . There are in all k groups, of which the first / cover the mapping 
components, and the remaining k-l groups the variables. It is a requirement that ^2l=\ ^r^^ ^"^^ ^1^° 
a requirement that c.=d. The set Jz{l,...,l} specifies the component groups of h that are to 

be encrypted irrespective of whether that encryption is parametrized or non-parametrized. The set 
I^{l+l,...,k} specifies the variable groups of h that are to be decrypted irrespective of whether that 
decryption is parametrized or non-parametrized. 

The number g. either gives the index of a group of variables w._i (thus being such that 
l<g.<k), or is some other value greater than k or less than / (- 1 is recommended, if possible), 
indicating that no such group is referenced. If g. references a group of variables, that group of 
variables will be used to parametrize either the encryption of the group (if it is a group of mapping 
components), or the decryption of the group (if it is a group of variables). 

Whenever g. references a group of variables or mapping components, the encryption and 
decryption keys are mappings on the form: r.^:.Z^ ^'~*^n • Whenever g^ does not reference any 
group, the encryption and decryption keys are mappings on the form: r.^.iZ^-^Zj^ . 

The resulting encryption algorithm is illustrated for the function table representation by the 
method "ParamEncrypt" given in the file "CompTable.java" in the source code appendix. The 
algorithm is very similar to that for multivariate encryption. 

• Reserve a temporary table tf^ defining a function t^:Zj^d^Zj^e. 

• For every i from 1 to k set y^=N^' . 
SetZj = l. 

• For every i from 2 to / set z.=y^_.^z._^ . 

SetZ;^j = l. 

• For every / from 1+2 to k set z.=y._^z._j^ . 

• Initialize a vector {b^,...,bj^_^ to (0,...,0) . This vector represents the k-l variable 

blocks, in a base N'^' representation. For each variable block /: b^=^2j=[ ^'^~^^a*j' 
where a=Ylj=i ^j.r 



Reserve a vector(&/,...,6/_/). 
For every i from 0 to iV^- 1 do: 
Set M=0. 

• For every j from ^ to / do : 

• if Sj is not the identity mapping: 

A. if l<gj<k 

A. Set m=y^bj_i+b^_i 

B. Set bj'_i=rj(m) 

B. otherwise set bj_i=rj(bj_l) 

A. otherwise set bj_i=bj_i. 

B. Multiply why 

C. Add bj'_j to u 
Set ti(u)=t,(i). 

• Increment the vectorized index(&j,...,Zjj^_^) , taking into account the different sets from 
which the individual components may be taken. 

Reserve a vector (b^,...,b) . 
Initialize a vector (b[,...,bl_i) 
For every / from 0 to TV^ '^-l do: 

Set M 

Set g = Q; 

• For every j from / to 1 to: 

A. Set p to the integer result of u/Zj. 

B. Subfract pZj from u to get the remainder. 

C. Set^J-^.^M. 

D. if is not the identity mapping 
A. if l<gj<k 

A. Set m=y^bj.+bg^^, 

B. Set bj=rpn) 

E. otherwise set b.-rp)'^ 

F. Add zljj to q. 
Settl{i)-q. 

• Increment the vectorized index , taking into account the different sets 
from which the individual components may be taken. 

Lastly, copy the function table of t^^ to the fiinction table of . 
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Additional more applied and less theoretical examples are provided below with reference to 
Figures 5A-73. An exemplary transition diagram with its corresponding inputs, states, and outputs is 
illustrated in Figure 5 A. The uppermost state "0" (sometimes referred to as "node '0'") has three 
possible inputs (i.e., 0, 1 and 2), which cause transitions to states 1, 2, and 0, respectively while 
outputting symbols 1, 2 and 2, respectively. The corresponding pairs of inputs and outputs are shown 
in the form input/output, and the state to which the state machine moves as a result of the input is 
shown by the directional arc (sometimes coming back to the original state). A corresponding 
function table is illustrated in Figure 5B with the new states and outputs being shown in parentheses 
(i.e., in the form (6,A)). 

As can be seen, the transition diagram does not include any dedicated state that can be 
used as a stopping state such that an outside observer would know that the calculation has ended, 
simply by looking at the current state of the machine. Accordingly, such a dedicated state is added so 
that the machine can signal the end of its computation (to itself and outside observers). 

Conversely, as shown in the transition diagram of Figure 5C, a node/state 3 is already 
isolated and may be used as a dedicated state q^. (In that exemplary embodiment, when a " 1 " is input 
in state "2", the transition is undefined.) Such a state machine includes a function table representation 
as shown in Figure 5D (including a corresponding undefined entry). 

Continuing with the example of Figure 5 A, by adding a dedicated state q^, and its 
corresponding arcs for each defined input, the transition diagram of Figure 6 is created. Such a 
diagram can be written equivalently as the function table of Figure 6B in which the dedicated state 
and the designated output symbol (indicating that the designated state has been entered) are written 
generically as q^ and B, respectively. This addition creates, from an existing domain D, an 
augmented domain D ' given by: 

D'= { (0,0), (0,1), (0,2), (0,5), (1,0), (1,1), (1,2), (1,5), 

(2,0), (2,1), (2,2), (2,5), (^,,0), {q^,\\ {q^,l), {qM- 

Similarly, the example of Figure 5C can be augmented to include arcs corresponding to 
designated the isolated node 3 as the dedicated state q^, thereby forming the diagram of Figure 6C and 
its equivalent function table in Figure 6D. In light of the fact that the transition is undefined when in 
state "2" and a "1" is received, the augmented domain corresponding to Figure 6D is given by: 
D'^{ (0,0), (0,1), (0,2), (0,5), (1,0), (1,1), (1,2), (1,5), 

(2,0), (2,1), (2,2), (2,5), (3,0), (3,1), (3,2), (3,5)}. 
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As seen in Figure 7, various vectorizations are possible for the same original input, output 
and state spaces. In the vectorization example where N>4, if is not a prime number, the 
vectorization should only be used when using function table representations for encryption and 
computation. Preferably a user's selection of components/vectorizations is maintained between 
specification and use without the system attempting to perform a remapping. 

As seen in Figures 8A-8C, the determination of an exemplary prime number is provided for 
each of the three illustrated cases of N. Generally, if a polynomial representation is used for Figures 
8A-8C, N should be a prime number. 

Continuing with the example of Figure 7B, a prime number, 3, is used and a vectorization 
corresponding to Afc=3d is selected in which: 2' = {(0,0), (0,1), (0,2), (1,0)}, Q'= {(0,0), (0,1), (0,2), 
(1,0)}, and A' = {(0,0), (0,1), (0,2), (1,0)}, such that the table of Figure 9A can be created by adding 
dummy states until Q' contains = 9 states. That is, starting with the originally defined 4 states, 9- 
4=5 rows (i.e., 5 nodes/states) are added to Figure 9A, each with their own corresponding 4 entries 
per row. This initially leaves undefined all the entries corresponding to the newly added states, as 
shown in the bottom of Figure 9A. 

Similarly, having increased the number of states, the number of input symbols and output 
symbols are adjusted correspondingly. Adding dummy input symbols until S' contains 3^ = 9 
symbols gives E' = {(0,0), (0,1), (0,2), (1,0), (1,1), (1,2), (2,0), (2,1), (2,2)}. Corresponding dummy 
symbols can also be added to A' to create A'= {(0,0), (0,1), (0,2), (1,0), (1,1), (1,2), (2,0), (2,1), 
(2,2)}. Each of the undefined entries (including the previously undefined entry corresponding to 
input (0,1) and state (0,2)) can be filled in with a specified value (e.g., ((1,0),(1,0)) to create the table 
of Figure 9B. 

As an alternative to the approach of Figure 9B, each of the undefined entries that would have 
otherwise been filled in with a common value can instead be filled in with domain-specific random 
values. For example, for each entry illustrated in Figure 10, each can be replaced with a 
separately selected random number from 0 to 2 (inclusive). This filling out of values randomly 
includes the previously undefined entry corresponding to input (0,1) and state (0,2). 

As an alternative to generating entries individually, rows of defined entries can be copied for 
undefined rows. For example, using the vectorization of Figure 8B, an initial set of entries is 
generated as shown in Figure 1 1 A. A non-dedicated row (i.e., a row other than row (1,0)) is selected 
(e.g., row (0,1)) and used as the source for filling in values in the first undefined row (i.e., row (1,1)). 

Equivalently, the first isolated node (1,1) in the graph of Figure IIC is selected. The 
transitions corresponding to node (0,1) are repeated for node (1,1), thereby creating the graph of 
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Figure 1 ID. The copying processes of Figures 1 IB and 1 ID are repeated until all the rows 
corresponding to the newly created output variables are filled in. 

In addition to the random row copying process that created the function table of Figure 1 IB 
(and which is repeated as Figure 12 A), transitions from the state being copied {q) to itself iq) can 
randomly be set to point to either gorq' (the copied version of q). For example, after row (0,1) is 
copied to row (1,1) as shovra in Figure 12A, the (0,1) entry of row (0,1) can be modified to point to 
the correspondmg (0,1) entry in the newly copied row (1,1). Similarly, transitions in row (1,1) only 
could have been changed, as could transitions in both rows (0,1) and (1,1) for entries corresponding 
to entries that point back to themselves within an original row. Equivalent changes are shown in 
Figures 12C and 12D. 

Again returning to the function table of Figure 1 IB (which is repeated as Figure 13 A), an 
existing function table can be modified to switch the labels assigned to any pair of nodes without the 
loss of generality. For example, state (0,1) can be switched with state (1,0), and in the graphical 
representation of Figure 12C would simply require a relabeling of the graph. However, the function 
table format results in a remapping as shown in Figure 13B. 

Figure 14A illustrates the process of interchanging input symbols using the function table of 
Figure 13B. By interchanging the columns of inputs (0,2) and (1,0), the function table of Figure 14A 
is transformed into the function table of Figure 14B. (Note that although S' = S, other mappings are 
possible such that the interchange is really a specification of a new input symbol.) Certain other 
criteria must also be examined, however, to ensure that such an interchange is acceptable. The first 
criterion is that, if a Mealy machine is to read its own output at some later stage (as is supported by 
Tiu-ing machines), every interchange of input symbols must be accompanied by a corresponding 
interchange of output symbols. Using the example of Figure 14 A, it would also be necessary to 
switch the (0,2) and (1,0) output symbols. 

According to the second criterion, any interchange of input symbols must be recorded and 
stored locally, otherwise the rightful user of the machine may not be able to use it in a meaningful 
way. Input specifications provided to other parties must also be adjusted accordingly. 

Nonetheless, the third criterion (which acts as an anti-criterion) is that if the interchanges are 
only done in the dummy symbols, changes do not affect the computation and can be ignored. 

Similar to the process of Figures 14A and 14B (and with the same criteria), output symbols 
can be exchanged in an analogous fashion as shown in Figures 15A and 15B. (Note that although A' 
= A, other mappings are possible such that the interchange is really a specification of a new output 
symbol.) By interchanging the (0,2) and (1,0) output symbols, the function table of Figure 15 A 
becomes 15B. 
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Figures 16A and 16B illustrate a method of transforming state transition and output mappings 
of an augmented Mealy machine to polynomial mappings. In the illustrated example, generally states 
have two components Xj^jCj, and inputs have two components x^pc^ such that the output mapping has 
two components A'](;c„ Xj, x^, x^) and X^ixi, X2, x^, x^). Thus, the state transition mapping of the 
augmented machine has two components: 6\(Xi, x-,, jcj, x^ and h\{x^, x^, x-^, x^. Generally each 
polynomial interpolation of a mapping component may be visualized as exemplified in Figure 1 6B, 
although Figure 1 6B is not intended to be drawn to scale. Thus, the interpolation for any given 
component is only guaranteed to exist if all components (be they in state, input, or output vectors) can 
be selected from the set of integers modulo some N, such that (a) A'^ is greater than any possible 
individual component value as given by the state transition table and (b) A'^ is a prime number. 

Figure 17 illustrates a method of precomputing the af^x) functions; given by: 

a.(x)Kn— ) mod N, 
kEK i-k 

such that each a,{x) is symbolically constructed only once for the specified set. Those results are 
represented by their respective arrays of coefficients and can be used to decrease calculation time 
spent during computation. 

Figure 18 illustrates a BSS machine to be modified into a BSS' machine under various 
conditions according to the present invention. Node numbering can be adjusted using the illustrated 
technique to begin numbering nodes at zero. Having generated a BSS machine according to Figure 
18, the input and output mappings are converted, and a computation mapping g is added to every 
node that doesn't have one, as shown in Figure 19. Figure 20A illustrates a BSS machine resulting 
from the calculations of Figure 19. It may, however, be easier to create an equivalent BSS' machine 
from scratch, such as the five node machine illustrated in Figure 20B. 

As shown in Figure 21, the method of transforming a BSS' machine into a single polynomial 
mapping includes expressing a set membership relation eK as a polynomial. The result of 
symbolically multiplying together (x-if'^^, for every / C K, modulo N is called 6^. (Note that zero 
carmot be a member of K.) Since all K,j are disjoint, their intersections are empty. Moreover, A(j» 
is symbolically calculated according to: 

L{i^)=b^ {x)n, ^ ^b^ {x)n, j^^{l -b^(x))n 
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where 6^ is the polynomial expression for evaluating the set inclusion relation. The next node 
function, expressed as a polynomial, combines all the ACzpc) according to the a,{x) functions using the 
domain definition: 

P(«,x)=Sa.(n)A(z», 

1=0 

where p is the number of nodes and A'^ is the size of the field. The computation mappings are 
similarly combined to produce the computing endomorphism: 

(p(«,x,), llafn)gfx))- 

1=0 

Figures 22A-22C illustrate three consecutive steps in generating keys for univariate 
encryption of multivariate polynomial mappings. First the elements to be encrypted and decrypted 
are selected by a user. Generally, elements selected by the user to be encr3^ted (from within the first 
"e" elements) are placed in the set J, and variables from elements "e+1" to "e+d" that are selected for 
decryption are held in set /. To save unnecessary computation, components not in J and variables not 
in / remain untouched. Keys are only generated in a sufficient number for those components/ 
variables actually affected. The definition of f gives the prime number used in generating key pairs. 
Key generation begins with the two arrays in Figure 22A. After one step of the key generation 
process, the arrays may take on an exemplary form shown in Figure 22B. After a second step, the 
exemplary embodiment is shown in Figure 22C. 

Figure 23 illustrates an interpolated polynomial (given by the array K) that is used to compute 
a permutation according to one aspect of the present invention. The inverse is computed in a similar 
manner using the array S. 

In order to save time (and component complexity), according to one embodiment of the 
present invention, a number of arithmetic operations are pre-computed. As shown in Figures 24 A 
and 24B, it is possible to compute the multiplication and exponentiation of numbers and store the 
result in a look-up table for later (quick) reference. 

As shown in Figure 25 A, a mapping d can be encrypted into a form h. When encrypting 
plural variables and mapping components of multivariate polynomials with univariate polynomials, it 
is possible to utilize constraints on pairs of keys. For example, using a set of function components 
and variables as shown in Figure 25B, it is possible to add a constraint that key pairs 1 and e+1 must 
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be identical. Then, as shown in Figure 25C, selected variables i (from set 7) are then decrypted by 
symbolically composing them with corresponding inverse permutations s^,. Then function 
components J (from set J) are encrypted by symbolically composing them with the corresponding 
permutations r,. Generally the result of s^, and yields the resultant partially encrypted h, E^^° h. 

Figure 26 A illustrates a partially encrypted E^_^ ° h (produced as a result of Figure 25 C) to be 
used as a starting point in a process of re-encrypting plural variables and mapping components of 
multivariate polynomials with second univariate polynomials. That partially encrypted result 
undergoes the process of symbolically re-encrypting plural variables and mapping components of 
multivariate polynomials with second vinivariate polynomials as shown in Figure 26B. Thus, the 
original encryption in reversed and a new encryption is applied with a new set of keys. 

Figure 26C illustrates a result of the re-encrypting process of Figure 26B. Accordingly, a 
new E,- J. ° h is created which is the same mapping partially encrypted with key pairs (^i', 
Sx)-{r,J^^J) instead of with (r„ 5i)...(/'^^,s,w)- 

Figures 27 A and 28 A illustrate function tables for f(x„X2)and g(xi,X2), respectively that can 
be used in a symbolic composition of g(/(x)). Generally, the composition of tf from Figure 28B and 

from Figure 28C create the table tfg as shown in Figure 28D. Alternatively, the composition process 
is shown schematically in Figure 28E. 

Again assuming a mapping as shown in Figure 25A, function components selected for 
encryption are stored in the set J and variables stored for decryption are stored in the set I. As was 
mentioned in the description of Figure 22A, to save unnecessary computation, components not in J 
and variables not in / remain untouched (as is possible in all similar key generation phases). Having 
started with the arrays of Figure 29 A, a first key generation step os performed, creating an exemplary 
representation shown in Figure 29B. Subsequent interpolation of each R/S pair is performed similarly 
to the interpolation of Figure 23. 

As with the process of Figure 25C, Figure 30 illustrates decrypting selected groups of 
variables, i, encrypting selected groups of components, 7, and creating a partially encrypted result h, 
E^^° h. However, the process of Figure 30 utilizes multivariate polynomials instead of the univariate 
polynomials of Figure 25. In such a case, rather than key pairs being identical for elements 1 and 
e+1, key triples are identical instead. 

Similar to the starting point, process and result of Figures 26 A, 26B, and 26C, respectively, 
Figures 3 1 A, 3 IB, and 3 IC illustrate the starting point, process and result of re-encrypting plural 
variables and mapping components of multivariate polynomials. However, in Figures 31 A, 3 IB, and 
31C, second multivariate polynomials are used in the process. Accordingly, by using key triples , a 
new £,.3, oh IS created which is the same mapping partially encrypted with key triples 



-63- 



(ci, ^i', 5i')...(Cft, r^,St) instead of with (c„ r,, Si)...(c^ r^s,). 

Figures 37A-38C illustrate a method of symbolic composition of two mappings using 
function tables. For the illustrated composition, e(l,l) = 4, e{l,2) =3, e(2,l) = 1, and e(2,2) = 3. 
Thus,/s 2 component will "disappear" in the composition and not be used at all. The resulting 
composition,X^i(;c4,X3), fhix^^^)) is given by gixi^^^^). Figure 37D illustrates an example of 
computing a composition for an entry (^i^3^4) = (0,1,0). 

Similarly, according to Figure 38A and 38B, a composition g is given by 
g(x,^^^,^,)=ih^(f,(x)/,(x)), h^(f^{x)f^im- As a result, for e'(l,l) = 1, e'(l,2) =3, e\2,\) = 2, 
and e'(2,2) = 3, an exemplary composition for {x^yX^^^^^ = (0,1,1,1) is illustrated in Figure 38D. 

Figure 40 illustrates a method of parameterized encryption of plural variables and mapping 
components of multivariate mappings with multivariate mappings. Three selection processes occur: 
(1) groups of variables to be decrypted are selected in either a parameterized or a non-parameterized 
manner; (2) groups of variables are selected as parameters; and (3) groups of components to be 
encrypted are selected in either a parameterized or a non-parameterized manner. In such an 
embodiment, key quadruples are used. 

As referenced by 4001, the inverse permutation s, is symbolically applied to the group of 
variables, i, selected for non-parameterized decryption. Similarly, at 4002, the inverse permutation, 
Sj, indexed by variable block g, is symbolically applied to the group of variables, /, selected for 
parameterized decryption. 

At 4003, selected groups of components, y, are encrypted by symbolically composing them 
with the corresponding permutations /}. At 4004, selected groups of components, 7, are 
parametrically encrypted by symbolically composing them with the corresponding permutations Vp 
indexed by variable block gj. The result is a partially parametrically encrypted h, E^_^o h. 

Attached hereto as part of the specification is a source code appendix of Java code. Such 
code is provided as an exemplary embodiment of certain routines related to the present invention and 
may need modification for certain environments. Such source code is not intended to limit the scope 
of protection afforded by the claims attached hereto. 

Obviously, numerous modifications and variations of the present invention are possible in 
light of the above teachings. It is therefore to be understood that, within the scope of the appended 
claims, the invention may be practiced otherwise than as specifically described herein. 



